{ "@programName": "ZAP", "@version": "2.17.0", "@generated": "Sat, 11 Apr 2026 16:57:18", "created": "2026-04-11T14:57:18.958093030Z", "insights":[ { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.code.2xx", "description": "Percentage of responses with status code 2xx", "statistic": "94" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.code.3xx", "description": "Percentage of responses with status code 3xx", "statistic": "2" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.code.5xx", "description": "Percentage of responses with status code 5xx", "statistic": "3" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.ctype.application/zip", "description": "Percentage of endpoints with content type application/zip", "statistic": "1" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.ctype.image/gif", "description": "Percentage of endpoints with content type image/gif", "statistic": "1" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.ctype.image/png", "description": "Percentage of endpoints with content type image/png", "statistic": "5" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.ctype.image/x-icon", "description": "Percentage of endpoints with content type image/x-icon", "statistic": "1" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.ctype.text/css", "description": "Percentage of endpoints with content type text/css", "statistic": "8" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.ctype.text/html", "description": "Percentage of endpoints with content type text/html", "statistic": "73" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.ctype.text/javascript", "description": "Percentage of endpoints with content type text/javascript", "statistic": "8" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.ctype.text/plain", "description": "Percentage of endpoints with content type text/plain", "statistic": "1" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.method.GET", "description": "Percentage of endpoints with method GET", "statistic": "59" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.method.POST", "description": "Percentage of endpoints with method POST", "statistic": "40" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.endpoint.total", "description": "Count of total endpoints", "statistic": "155" }, { "level": "Info", "reason": "Informational", "site": "http://127.0.0.1:8080", "key": "insight.response.slow", "description": "Percentage of slow responses", "statistic": "52" } ], "site":[ { "@name": "http://127.0.0.1:8080/govwayConsole/import.do", "@host": "127.0.0.1", "@port": "8080", "@ssl": "false", "alerts": [ { "pluginid": "10031", "alertRef": "10031", "alert": "User Controllable HTML Element Attribute (Potential XSS)", "name": "User Controllable HTML Element Attribute (Potential XSS)", "riskcode": "0", "confidence": "1", "riskdesc": "Informational (Low)", "desc": "

This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

", "instances":[ { "id": "25", "uri": "http://127.0.0.1:8080/govwayConsole/import.do?__prevTabKey__=9969d837-1311-4a65-b92d-b1078bac7314&modalita=import&resetSearch=yes", "nodeName": "http:\/\/127.0.0.1:8080\/govwayConsole\/import.do (__prevTabKey__,modalita,resetSearch)", "method": "GET", "param": "modalita", "attack": "", "evidence": "", "otherinfo": "User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:\n\nhttp://127.0.0.1:8080/govwayConsole/import.do?__prevTabKey__=9969d837-1311-4a65-b92d-b1078bac7314&modalita=import&resetSearch=yes\n\nappears to include user input in:\na(n) [a] tag [title] attribute\n\nThe user input found was:\nmodalita=import\n\nThe user-controlled value was:\nimporta" }, { "id": "28", "uri": "http://127.0.0.1:8080/govwayConsole/import.do?__prevTabKey__=9969d837-1311-4a65-b92d-b1078bac7314&modalita=import&resetSearch=yes", "nodeName": "http:\/\/127.0.0.1:8080\/govwayConsole\/import.do (__prevTabKey__,modalita,resetSearch)", "method": "GET", "param": "resetSearch", "attack": "", "evidence": "", "otherinfo": "User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:\n\nhttp://127.0.0.1:8080/govwayConsole/import.do?__prevTabKey__=9969d837-1311-4a65-b92d-b1078bac7314&modalita=import&resetSearch=yes\n\nappears to include user input in:\na(n) [input] tag [value] attribute\n\nThe user input found was:\nresetSearch=yes\n\nThe user-controlled value was:\nyes" } ], "count": "2", "systemic": false, "solution": "

Validate all input and sanitize output it before writing to any HTML attributes.

", "otherinfo": "

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:

http://127.0.0.1:8080/govwayConsole/import.do?__prevTabKey__=9969d837-1311-4a65-b92d-b1078bac7314&modalita=import&resetSearch=yes

appears to include user input in:

a(n) [a] tag [title] attribute

The user input found was:

modalita=import

The user-controlled value was:

importa

", "reference": "

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

", "cweid": "20", "wascid": "20", "sourceid": "110" } ] } ], "sequences":[ ] }