GovWay Console di Configurazione

Analisi per la console di configurazione di GovWay

Site: http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do

Generated on Sat, 11 Apr 2026 17:04:26

ZAP Version: 2.17.0

ZAP by Checkmarx

Summary of Alerts

Risk Level Number of Alerts
High
0
Medium
0
Low
0
Informational
1

Alerts

Name Risk Level Number of Instances
User Controllable HTML Element Attribute (Potential XSS) Informational 6

Alert Detail

Informational
 User Controllable HTML Element Attribute (Potential XSS)
Description
This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.
URL http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do
Node Name http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do ()(__i_hidden_locklabel_,__i_hidden_lockurl_,__i_hidden_lockvalue_,_csrf,dump,edit-mode,formatodump,log4j,stato,statoaudit)
Method POST
Parameter dump
Attack
Evidence
Other Info
User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:

http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do

appears to include user input in:

a(n) [option] tag [value] attribute

The user input found was:

dump=disabilitato

The user-controlled value was:

disabilitato
URL http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do
Node Name http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do ()(__i_hidden_locklabel_,__i_hidden_lockurl_,__i_hidden_lockvalue_,_csrf,dump,edit-mode,formatodump,log4j,stato,statoaudit)
Method POST
Parameter edit-mode
Attack
Evidence
Other Info
User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:

http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do

appears to include user input in:

a(n) [input] tag [value] attribute

The user input found was:

edit-mode=end

The user-controlled value was:

end
URL http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do
Node Name http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do ()(__i_hidden_locklabel_,__i_hidden_lockurl_,__i_hidden_lockvalue_,_csrf,dump,edit-mode,formatodump,log4j,stato,statoaudit)
Method POST
Parameter formatodump
Attack
Evidence
Other Info
User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:

http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do

appears to include user input in:

a(n) [input] tag [value] attribute

The user input found was:

formatodump=JSON

The user-controlled value was:

json
URL http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do
Node Name http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do ()(__i_hidden_locklabel_,__i_hidden_lockurl_,__i_hidden_lockvalue_,_csrf,dump,edit-mode,formatodump,log4j,stato,statoaudit)
Method POST
Parameter log4j
Attack
Evidence
Other Info
User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:

http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do

appears to include user input in:

a(n) [option] tag [value] attribute

The user input found was:

log4j=abilitato

The user-controlled value was:

abilitato
URL http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do
Node Name http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do ()(__i_hidden_locklabel_,__i_hidden_lockurl_,__i_hidden_lockvalue_,_csrf,dump,edit-mode,formatodump,log4j,stato,statoaudit)
Method POST
Parameter stato
Attack
Evidence
Other Info
User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:

http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do

appears to include user input in:

a(n) [option] tag [value] attribute

The user input found was:

stato=abilitato

The user-controlled value was:

abilitato
URL http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do
Node Name http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do ()(__i_hidden_locklabel_,__i_hidden_lockurl_,__i_hidden_lockvalue_,_csrf,dump,edit-mode,formatodump,log4j,stato,statoaudit)
Method POST
Parameter statoaudit
Attack
Evidence
Other Info
User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:

http://127.0.0.1:8080/govwayConsole/configurazioneAuditing.do

appears to include user input in:

a(n) [option] tag [value] attribute

The user input found was:

statoaudit=abilitato

The user-controlled value was:

abilitato
Instances 6
Solution
Validate all input and sanitize output it before writing to any HTML attributes.
Reference https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
CWE Id 20
WASC Id 20
Plugin Id 10031