Why/How is `value="javascript:alert(1)"` considered as a XSS vulnerability in OWASP's ZAP tool?
The results for OWASP's ZAP has been very useful for eliminating vulnerable parts of my website.
However, I've found a lot of results that I simply cannot fix. For example, one of the get parameters it has put javascript:alert(1); in to the variable. This variable is then output by PHP in a hidden element's value attribute. So the final HTML looks like:
<input type="hidden" name="someName" id="someID" value="javascript:alert(1);"/>
This value is normally used to populate a drop down with JavaScript. If it's 1 it shows optional search filters, if 0 it shows nothing. So it's only used in a string comparison that fails.
I see no way for this to be exploited, the alert does not run like other attacks ZAP has shown me. The output is encoded so they cannot inject HTML by ending the quotes or element early with "/> like previously found attacks, as these characters become their HTML entities counterpart.
Is this just a false positive from ZAP matching the input string in the page source, as encoding javascript:alert(1); still equals exactly the same as javascript:alert(1);?
Answer
Yes, OWASP's ZAP tries to find vulnerabilities on your website, and it works automatically.
If it's sucesfull in adding ANY PART of code into your website, the website is considered vulnerable automatically.
If your website only accepts "0" or "1" as the value of hidden input, and doesn't save or prompt the value anywhere (not even to cookies), this is not a security vulnerability, and you're safe.