Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    [bogus] Cross-Site Scripting bugs reported by Veracode

    Following is the issue when the security audit was run over the source code in Smart GWT3.0 version.

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Use output filtering to sanitize all output generated from user-supplied input, selecting the appropriate method of encoding based on the use case of the untrusted data. For example, if the data is being written to the body of an HTML page, use HTML entity encoding. However, if the data is being used to construct generated Javascript or if it is consumed by client-side methods that may interpret it as code (a common technique in Web 2.0 applications), additional restrictions may be necessary beyond simple HTML encoding.
    Validate user-supplied input using positive filters (white lists) to ensure that it conforms to the expected format, using centralized data validation routines when possible.
    Do not permit users to include HTML content in posts, notes, or other data that will be displayed by the application. If users are permitted to include HTML tags, then carefully limit access to specific elements or attributes, and use strict validation filters to prevent abuse.basis.
    /chart/.../tools/bmmlImporter.jsp 20
    /chart/.../tools/bmmlImporter.jsp 22
    /chart/.../tools/bmmlImporter.jsp 23
    /chart/.../tools/bmmlImporter.jsp 24
    /chart/.../tools/bmmlImporter.jsp 25
    /chart/.../tools/genScriptDoc.jsp 28
    /chart/.../tools/genScriptDoc.jsp 29
    /chart/.../visualBuilder/index.jsp 54
    /chart/.../visualBuilder/index.jsp 72
    .../JSSyntaxScannerFilter.java 329
    com/.../taglib/LoadModulesTag.java 106
    com/.../taglib/LoadModulesTag.java 134
    com/.../taglib/LoadSkinTag.java 94
    com/.../taglib/LoadSkinTag.java 96
    com/.../servlet/ServletTools.java 1232
    com/.../servlet/SourceViewer.java 185
    com/.../servlet/SourceViewer.java 190
    /chart/.../visualBuilder/view.jsp 18

    Can we have a resolution for this?

    #2
    This appears to be a bogus report.

    In general, security scanning tools produce a lot of bogus reports, because among other things they will scan methods that are not accessible from end user UI as though they were publicly accessible (this includes developer tools, code for command-line use, test code, etc).

    If you believe you've found a security vulnerability you should submit a test case showing how the code could be exploited.

    Comment


      #3
      Originally posted by Isomorphic View Post
      If you believe you've found a security vulnerability you should submit a test case showing how the code could be exploited.
      Just to clarify: am I correct to assume that all SmartGWT widget and supporting code is (at least in theory) implemented so as to be safe from known web attacks?

      If I take a string from an untrusted source am I safe to put it into any SmartGWT widget without sanitizing it first?

      Comment


        #4
        Of course not, because if every API was safe to use with arbitrary content, you would be unable to use the features of HTML!

        For example, HTMLFlow does not try to sanitize the content you put into it.

        Comment


          #5
          OK, fair point. Daft question, sorry... :o}

          So when you said above, "If you believe you've found a security vulnerability..." what sort of vulnerabilities did you have in mind? In particular, are there any client side attack vectors which SmartGWT takes steps to prevent?

          Comment


            #6
            Yes, all the common exploits that would affect the provided functionality, the two most commonly asked about are covered by dataSourceField.escapeHTML and SQL Templating's auto-quoting.

            Comment

            Working...
            X