GovWay Console di Configurazione

Site: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Generated on Tue, 24 Feb 2026 05:15:05

ZAP Version: 2.17.0

Summary of Alerts

Risk Level	Number of Alerts
High	0
Medium	0
Low	0
Informational	2

Risk Level

Number of Alerts

High

Medium

Low

Informational

Alerts

Name	Risk Level	Number of Instances
User Agent Fuzzer	Informational	Systemic
User Controllable HTML Element Attribute (Potential XSS)	Informational	12

Name

Risk Level

Number of Instances

User Agent Fuzzer

Informational

Systemic

User Controllable HTML Element Attribute (Potential XSS)

Informational

Alert Detail

Informational	User Agent Fuzzer
Description	Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.

URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)
Method	GET
Parameter	Header User-Agent
Attack	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Evidence
Other Info
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)
Method	GET
Parameter	Header User-Agent
Attack	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Evidence
Other Info
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)
Method	GET
Parameter	Header User-Agent
Attack	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Evidence
Other Info
Instances	Systemic
Solution
Reference	https://owasp.org/wstg
CWE Id
WASC Id
Plugin Id	10104

Informational

User Agent Fuzzer

Description

Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)

Method

GET

Parameter

Header User-Agent

Attack

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Evidence

Other Info

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)

Method

GET

Parameter

Header User-Agent

Attack

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

Evidence

Other Info

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)

Method

GET

Parameter

Header User-Agent

Attack

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

Evidence

Other Info

Instances

Systemic

Solution

Reference

https://owasp.org/wstg

CWE Id

WASC Id

Plugin Id

10104

Informational	User Controllable HTML Element Attribute (Potential XSS)
Description	This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(__i_hidden_title_iconUso_0_0,__i_hidden_title_iconUso_0_2,__i_hidden_title_iconUso_10_0,__i_hidden_title_iconUso_10_2,__i_hidden_title_iconUso_11_0,__i_hidden_title_iconUso_11_2,__i_hidden_title_iconUso_12_0,__i_hidden_title_iconUso_12_2,__i_hidden_title_iconUso_13_0,__i_hidden_title_iconUso_13_2,__i_hidden_title_iconUso_14_0,__i_hidden_title_iconUso_14_2,__i_hidden_title_iconUso_15_0,__i_hidden_title_iconUso_15_2,__i_hidden_title_iconUso_16_0,__i_hidden_title_iconUso_16_2,__i_hidden_title_iconUso_17_0,__i_hidden_title_iconUso_17_2,__i_hidden_title_iconUso_18_0,__i_hidden_title_iconUso_18_2,__i_hidden_title_iconUso_19_0,__i_hidden_title_iconUso_19_2,__i_hidden_title_iconUso_1_0,__i_hidden_title_iconUso_1_2,__i_hidden_title_iconUso_2_0,__i_hidden_title_iconUso_2_2,__i_hidden_title_iconUso_3_0,__i_hidden_title_iconUso_3_2,__i_hidden_title_iconUso_4_0,__i_hidden_title_iconUso_4_2,__i_hidden_title_iconUso_5_0,__i_hidden_title_iconUso_5_2,__i_hidden_title_iconUso_6_0,__i_hidden_title_iconUso_6_2,__i_hidden_title_iconUso_7_0,__i_hidden_title_iconUso_7_2,__i_hidden_title_iconUso_8_0,__i_hidden_title_iconUso_8_2,__i_hidden_title_iconUso_9_0,__i_hidden_title_iconUso_9_2,_csrf,be_name_0,chkAll,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,limit,search,selectcheckbox,url_entry_0,url_entry_1,url_entry_10,url_entry_11,url_entry_12,url_entry_13,url_entry_14,url_entry_15,url_entry_16,url_entry_17,url_entry_18,url_entry_19,url_entry_2,url_entry_3,url_entry_4,url_entry_5,url_entry_6,url_entry_7,url_entry_8,url_entry_9)
Method	POST
Parameter	filterName_0
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_0=filtroProtocollo The user-controlled value was: filtroprotocollo
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(__i_hidden_title_iconUso_0_0,__i_hidden_title_iconUso_0_2,__i_hidden_title_iconUso_10_0,__i_hidden_title_iconUso_10_2,__i_hidden_title_iconUso_11_0,__i_hidden_title_iconUso_11_2,__i_hidden_title_iconUso_12_0,__i_hidden_title_iconUso_12_2,__i_hidden_title_iconUso_13_0,__i_hidden_title_iconUso_13_2,__i_hidden_title_iconUso_14_0,__i_hidden_title_iconUso_14_2,__i_hidden_title_iconUso_15_0,__i_hidden_title_iconUso_15_2,__i_hidden_title_iconUso_16_0,__i_hidden_title_iconUso_16_2,__i_hidden_title_iconUso_17_0,__i_hidden_title_iconUso_17_2,__i_hidden_title_iconUso_18_0,__i_hidden_title_iconUso_18_2,__i_hidden_title_iconUso_19_0,__i_hidden_title_iconUso_19_2,__i_hidden_title_iconUso_1_0,__i_hidden_title_iconUso_1_2,__i_hidden_title_iconUso_2_0,__i_hidden_title_iconUso_2_2,__i_hidden_title_iconUso_3_0,__i_hidden_title_iconUso_3_2,__i_hidden_title_iconUso_4_0,__i_hidden_title_iconUso_4_2,__i_hidden_title_iconUso_5_0,__i_hidden_title_iconUso_5_2,__i_hidden_title_iconUso_6_0,__i_hidden_title_iconUso_6_2,__i_hidden_title_iconUso_7_0,__i_hidden_title_iconUso_7_2,__i_hidden_title_iconUso_8_0,__i_hidden_title_iconUso_8_2,__i_hidden_title_iconUso_9_0,__i_hidden_title_iconUso_9_2,_csrf,be_name_0,chkAll,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,limit,search,selectcheckbox,url_entry_0,url_entry_1,url_entry_10,url_entry_11,url_entry_12,url_entry_13,url_entry_14,url_entry_15,url_entry_16,url_entry_17,url_entry_18,url_entry_19,url_entry_2,url_entry_3,url_entry_4,url_entry_5,url_entry_6,url_entry_7,url_entry_8,url_entry_9)
Method	POST
Parameter	filterName_1
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_1=filtroServiceBinding The user-controlled value was: filtroservicebinding
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(__i_hidden_title_iconUso_0_0,__i_hidden_title_iconUso_0_2,__i_hidden_title_iconUso_10_0,__i_hidden_title_iconUso_10_2,__i_hidden_title_iconUso_11_0,__i_hidden_title_iconUso_11_2,__i_hidden_title_iconUso_12_0,__i_hidden_title_iconUso_12_2,__i_hidden_title_iconUso_13_0,__i_hidden_title_iconUso_13_2,__i_hidden_title_iconUso_14_0,__i_hidden_title_iconUso_14_2,__i_hidden_title_iconUso_15_0,__i_hidden_title_iconUso_15_2,__i_hidden_title_iconUso_16_0,__i_hidden_title_iconUso_16_2,__i_hidden_title_iconUso_17_0,__i_hidden_title_iconUso_17_2,__i_hidden_title_iconUso_18_0,__i_hidden_title_iconUso_18_2,__i_hidden_title_iconUso_19_0,__i_hidden_title_iconUso_19_2,__i_hidden_title_iconUso_1_0,__i_hidden_title_iconUso_1_2,__i_hidden_title_iconUso_2_0,__i_hidden_title_iconUso_2_2,__i_hidden_title_iconUso_3_0,__i_hidden_title_iconUso_3_2,__i_hidden_title_iconUso_4_0,__i_hidden_title_iconUso_4_2,__i_hidden_title_iconUso_5_0,__i_hidden_title_iconUso_5_2,__i_hidden_title_iconUso_6_0,__i_hidden_title_iconUso_6_2,__i_hidden_title_iconUso_7_0,__i_hidden_title_iconUso_7_2,__i_hidden_title_iconUso_8_0,__i_hidden_title_iconUso_8_2,__i_hidden_title_iconUso_9_0,__i_hidden_title_iconUso_9_2,_csrf,be_name_0,chkAll,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,limit,search,selectcheckbox,url_entry_0,url_entry_1,url_entry_10,url_entry_11,url_entry_12,url_entry_13,url_entry_14,url_entry_15,url_entry_16,url_entry_17,url_entry_18,url_entry_19,url_entry_2,url_entry_3,url_entry_4,url_entry_5,url_entry_6,url_entry_7,url_entry_8,url_entry_9)
Method	POST
Parameter	filterName_2
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_2=filtroGruppo The user-controlled value was: filtrogruppo
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(__i_hidden_title_iconUso_0_0,__i_hidden_title_iconUso_0_2,__i_hidden_title_iconUso_10_0,__i_hidden_title_iconUso_10_2,__i_hidden_title_iconUso_11_0,__i_hidden_title_iconUso_11_2,__i_hidden_title_iconUso_12_0,__i_hidden_title_iconUso_12_2,__i_hidden_title_iconUso_13_0,__i_hidden_title_iconUso_13_2,__i_hidden_title_iconUso_14_0,__i_hidden_title_iconUso_14_2,__i_hidden_title_iconUso_15_0,__i_hidden_title_iconUso_15_2,__i_hidden_title_iconUso_16_0,__i_hidden_title_iconUso_16_2,__i_hidden_title_iconUso_17_0,__i_hidden_title_iconUso_17_2,__i_hidden_title_iconUso_18_0,__i_hidden_title_iconUso_18_2,__i_hidden_title_iconUso_19_0,__i_hidden_title_iconUso_19_2,__i_hidden_title_iconUso_1_0,__i_hidden_title_iconUso_1_2,__i_hidden_title_iconUso_2_0,__i_hidden_title_iconUso_2_2,__i_hidden_title_iconUso_3_0,__i_hidden_title_iconUso_3_2,__i_hidden_title_iconUso_4_0,__i_hidden_title_iconUso_4_2,__i_hidden_title_iconUso_5_0,__i_hidden_title_iconUso_5_2,__i_hidden_title_iconUso_6_0,__i_hidden_title_iconUso_6_2,__i_hidden_title_iconUso_7_0,__i_hidden_title_iconUso_7_2,__i_hidden_title_iconUso_8_0,__i_hidden_title_iconUso_8_2,__i_hidden_title_iconUso_9_0,__i_hidden_title_iconUso_9_2,_csrf,be_name_0,chkAll,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,limit,search,selectcheckbox,url_entry_0,url_entry_1,url_entry_10,url_entry_11,url_entry_12,url_entry_13,url_entry_14,url_entry_15,url_entry_16,url_entry_17,url_entry_18,url_entry_19,url_entry_2,url_entry_3,url_entry_4,url_entry_5,url_entry_6,url_entry_7,url_entry_8,url_entry_9)
Method	POST
Parameter	filterValue_1
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [option] tag [value] attribute The user input found was: filterValue_1=soap The user-controlled value was: soap
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(__i_hidden_title_iconUso_0_0,__i_hidden_title_iconUso_0_2,__i_hidden_title_iconUso_10_0,__i_hidden_title_iconUso_10_2,__i_hidden_title_iconUso_11_0,__i_hidden_title_iconUso_11_2,__i_hidden_title_iconUso_12_0,__i_hidden_title_iconUso_12_2,__i_hidden_title_iconUso_13_0,__i_hidden_title_iconUso_13_2,__i_hidden_title_iconUso_14_0,__i_hidden_title_iconUso_14_2,__i_hidden_title_iconUso_15_0,__i_hidden_title_iconUso_15_2,__i_hidden_title_iconUso_16_0,__i_hidden_title_iconUso_16_2,__i_hidden_title_iconUso_17_0,__i_hidden_title_iconUso_17_2,__i_hidden_title_iconUso_18_0,__i_hidden_title_iconUso_18_2,__i_hidden_title_iconUso_19_0,__i_hidden_title_iconUso_19_2,__i_hidden_title_iconUso_1_0,__i_hidden_title_iconUso_1_2,__i_hidden_title_iconUso_2_0,__i_hidden_title_iconUso_2_2,__i_hidden_title_iconUso_3_0,__i_hidden_title_iconUso_3_2,__i_hidden_title_iconUso_4_0,__i_hidden_title_iconUso_4_2,__i_hidden_title_iconUso_5_0,__i_hidden_title_iconUso_5_2,__i_hidden_title_iconUso_6_0,__i_hidden_title_iconUso_6_2,__i_hidden_title_iconUso_7_0,__i_hidden_title_iconUso_7_2,__i_hidden_title_iconUso_8_0,__i_hidden_title_iconUso_8_2,__i_hidden_title_iconUso_9_0,__i_hidden_title_iconUso_9_2,_csrf,be_name_0,chkAll,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,limit,search,selectcheckbox,url_entry_0,url_entry_1,url_entry_10,url_entry_11,url_entry_12,url_entry_13,url_entry_14,url_entry_15,url_entry_16,url_entry_17,url_entry_18,url_entry_19,url_entry_2,url_entry_3,url_entry_4,url_entry_5,url_entry_6,url_entry_7,url_entry_8,url_entry_9)
Method	POST
Parameter	filterValue_2
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [option] tag [value] attribute The user input found was: filterValue_2=AltroTag The user-controlled value was: altrotag
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(__i_hidden_title_iconUso_0_0,__i_hidden_title_iconUso_0_2,__i_hidden_title_iconUso_10_0,__i_hidden_title_iconUso_10_2,__i_hidden_title_iconUso_11_0,__i_hidden_title_iconUso_11_2,__i_hidden_title_iconUso_12_0,__i_hidden_title_iconUso_12_2,__i_hidden_title_iconUso_13_0,__i_hidden_title_iconUso_13_2,__i_hidden_title_iconUso_14_0,__i_hidden_title_iconUso_14_2,__i_hidden_title_iconUso_15_0,__i_hidden_title_iconUso_15_2,__i_hidden_title_iconUso_16_0,__i_hidden_title_iconUso_16_2,__i_hidden_title_iconUso_17_0,__i_hidden_title_iconUso_17_2,__i_hidden_title_iconUso_18_0,__i_hidden_title_iconUso_18_2,__i_hidden_title_iconUso_19_0,__i_hidden_title_iconUso_19_2,__i_hidden_title_iconUso_1_0,__i_hidden_title_iconUso_1_2,__i_hidden_title_iconUso_2_0,__i_hidden_title_iconUso_2_2,__i_hidden_title_iconUso_3_0,__i_hidden_title_iconUso_3_2,__i_hidden_title_iconUso_4_0,__i_hidden_title_iconUso_4_2,__i_hidden_title_iconUso_5_0,__i_hidden_title_iconUso_5_2,__i_hidden_title_iconUso_6_0,__i_hidden_title_iconUso_6_2,__i_hidden_title_iconUso_7_0,__i_hidden_title_iconUso_7_2,__i_hidden_title_iconUso_8_0,__i_hidden_title_iconUso_8_2,__i_hidden_title_iconUso_9_0,__i_hidden_title_iconUso_9_2,_csrf,be_name_0,chkAll,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,limit,search,selectcheckbox,url_entry_0,url_entry_1,url_entry_10,url_entry_11,url_entry_12,url_entry_13,url_entry_14,url_entry_15,url_entry_16,url_entry_17,url_entry_18,url_entry_19,url_entry_2,url_entry_3,url_entry_4,url_entry_5,url_entry_6,url_entry_7,url_entry_8,url_entry_9)
Method	POST
Parameter	search
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: search=ZAP The user-controlled value was: zap
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)
Method	POST
Parameter	filterName_0
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_0=filtroProtocollo The user-controlled value was: filtroprotocollo
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)
Method	POST
Parameter	filterName_1
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_1=filtroServiceBinding The user-controlled value was: filtroservicebinding
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)
Method	POST
Parameter	filterName_2
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_2=filtroGruppo The user-controlled value was: filtrogruppo
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)
Method	POST
Parameter	filterValue_1
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [option] tag [value] attribute The user input found was: filterValue_1=soap The user-controlled value was: soap
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)
Method	POST
Parameter	filterValue_2
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [option] tag [value] attribute The user input found was: filterValue_2=AltroTag The user-controlled value was: altrotag
URL	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc
Node Name	http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)
Method	POST
Parameter	search
Attack
Evidence
Other Info	User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: search=ZAP The user-controlled value was: zap
Instances	12
Solution	Validate all input and sanitize output it before writing to any HTML attributes.
Reference	https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
CWE Id	20
WASC Id	20
Plugin Id	10031

Informational

User Controllable HTML Element Attribute (Potential XSS)

Description

This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(__i_hidden_title_iconUso_0_0,__i_hidden_title_iconUso_0_2,__i_hidden_title_iconUso_10_0,__i_hidden_title_iconUso_10_2,__i_hidden_title_iconUso_11_0,__i_hidden_title_iconUso_11_2,__i_hidden_title_iconUso_12_0,__i_hidden_title_iconUso_12_2,__i_hidden_title_iconUso_13_0,__i_hidden_title_iconUso_13_2,__i_hidden_title_iconUso_14_0,__i_hidden_title_iconUso_14_2,__i_hidden_title_iconUso_15_0,__i_hidden_title_iconUso_15_2,__i_hidden_title_iconUso_16_0,__i_hidden_title_iconUso_16_2,__i_hidden_title_iconUso_17_0,__i_hidden_title_iconUso_17_2,__i_hidden_title_iconUso_18_0,__i_hidden_title_iconUso_18_2,__i_hidden_title_iconUso_19_0,__i_hidden_title_iconUso_19_2,__i_hidden_title_iconUso_1_0,__i_hidden_title_iconUso_1_2,__i_hidden_title_iconUso_2_0,__i_hidden_title_iconUso_2_2,__i_hidden_title_iconUso_3_0,__i_hidden_title_iconUso_3_2,__i_hidden_title_iconUso_4_0,__i_hidden_title_iconUso_4_2,__i_hidden_title_iconUso_5_0,__i_hidden_title_iconUso_5_2,__i_hidden_title_iconUso_6_0,__i_hidden_title_iconUso_6_2,__i_hidden_title_iconUso_7_0,__i_hidden_title_iconUso_7_2,__i_hidden_title_iconUso_8_0,__i_hidden_title_iconUso_8_2,__i_hidden_title_iconUso_9_0,__i_hidden_title_iconUso_9_2,_csrf,be_name_0,chkAll,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,limit,search,selectcheckbox,url_entry_0,url_entry_1,url_entry_10,url_entry_11,url_entry_12,url_entry_13,url_entry_14,url_entry_15,url_entry_16,url_entry_17,url_entry_18,url_entry_19,url_entry_2,url_entry_3,url_entry_4,url_entry_5,url_entry_6,url_entry_7,url_entry_8,url_entry_9)

Method

POST

Parameter

filterName_0

Attack

Evidence

Other Info

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_0=filtroProtocollo The user-controlled value was: filtroprotocollo

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

Method

POST

Parameter

filterName_1

Attack

Evidence

Other Info

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_1=filtroServiceBinding The user-controlled value was: filtroservicebinding

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

Method

POST

Parameter

filterName_2

Attack

Evidence

Other Info

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_2=filtroGruppo The user-controlled value was: filtrogruppo

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

Method

POST

Parameter

filterValue_1

Attack

Evidence

Other Info

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [option] tag [value] attribute The user input found was: filterValue_1=soap The user-controlled value was: soap

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

Method

POST

Parameter

filterValue_2

Attack

Evidence

Other Info

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [option] tag [value] attribute The user input found was: filterValue_2=AltroTag The user-controlled value was: altrotag

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

Method

POST

Parameter

Attack

Evidence

Other Info

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)

Method

POST

Parameter

filterName_0

Attack

Evidence

Other Info

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)

Method

POST

Parameter

filterName_1

Attack

Evidence

Other Info

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_1=filtroServiceBinding The user-controlled value was: filtroservicebinding

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)

Method

POST

Parameter

filterName_2

Attack

Evidence

Other Info

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [input] tag [value] attribute The user input found was: filterName_2=filtroGruppo The user-controlled value was: filtrogruppo

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)

Method

POST

Parameter

filterValue_1

Attack

Evidence

Other Info

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [option] tag [value] attribute The user input found was: filterValue_1=soap The user-controlled value was: soap

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)

Method

POST

Parameter

filterValue_2

Attack

Evidence

Other Info

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc appears to include user input in: a(n) [option] tag [value] attribute The user input found was: filterValue_2=AltroTag The user-controlled value was: altrotag

URL

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Node Name

http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do (tipoAccordo)(_csrf,filterName_0,filterName_1,filterName_2,filterValue_1,filterValue_2,search)

Method

POST

Parameter

Attack

Evidence

Other Info

Instances

Solution

Validate all input and sanitize output it before writing to any HTML attributes.

Reference

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

CWE Id

WASC Id

Plugin Id

10031

GovWay Console di Configurazione

Site: http://127.0.0.1:8080/govwayConsole/accordiServizioParteComuneApiList.do?tipoAccordo=apc

Generated on Tue, 24 Feb 2026 05:15:05

ZAP Version: 2.17.0

ZAP by Checkmarx

Summary of Alerts

Alerts

Alert Detail