Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

  • XSS:DOM Vulnerability in ISC_RealtimeMessaging.js file.

    Hi,


    we got our code scan done from Fortify Vulnerability Tool (HP) and found some vulnerability code in ISC_RealtimeMessaging.js , assuming these are generated by smartgwt complier.

    smartgwt sdk version used:
    <dependency>
    <groupId>com.isomorphic.smartgwt.lgpl</groupId>
    <artifactId>smartgwt-lgpl</artifactId>
    <version>5.0-p20160212</version>
    </dependency>

    Issue Raised from HP tool:
    The method $1126() in ISC_RealtimeMessaging.js sends unvalidated data to a web browser on line 33, which can result in the browser executing malicious code. Sending unvalidated data to a web browser can result in the browser executing malicious code. Explanation

    Cross-site scripting (XSS) vulnerabilities occur when:

    1. Data enters a web application through an untrusted source. In the case of DOM-based XSS, data is read from a URL parameter or other value within the browser and written back into the page with client-side code. In the case of Reflected XSS, the untrusted source is typically a web request, while in the case of Persisted (also known as Stored) XSS it is typically a database or other back-end data store.


    In this case the data enters at in ISC_RealtimeMessaging.js at line 33.

    2. The data is included in dynamic content that is sent to a web user without being validated. In the case of DOM Based XSS, malicious content gets executed as part of DOM (Document Object Model) creation, whenever the victim's browser parses the HTML page.

    In this case the data is sent at write() in ISC_RealtimeMessaging.js at line 33.

    The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.

    Attachment:
    I have attached ISC_RealtimeMessaging.js file which has been identified with vulnerabilities.

    Team,
    having said these , can you please confirm is this vulnerable in any way ? or we can challenge the scan .
    Attached Files

  • #2
    Challenge the scan. These scanners produce spurious vulnerability reports a vast majority of the time - we have yet to see a report from a scan that was a legit vulnerability.

    In this particular case the XSS claim seems borderline incoherent, as it seems to be attributing an XSS vulnerability to client-side code that is processing data from a (trusted) server.

    If you'd like to report a possible vulnerability in SmartGWT, the valid way to do so is to show a specific way that our system could be exploited. Scans like this do not come close to reaching that basic standard.

    Comment


    • #3
      Thanks for the response.
      So there is no Input from user to this function and its totally generated from complier and consumed by compiler ?

      {var _12=_11.responseText.substring(_9);_9=_11.responseText.length;_1.$ie.document.write(_12)}};this.$1127=isc.Comm.sendXmlHttpRequest({URL:_3.uri,fields:_2,transaction:{changed:function(){},requestData:_2},onreadystatechange:_10})}else{isc.Comm.sendHiddenFrame({URL:_3.uri,fields:_2,transaction:{changed:function(){},requestData:_2},frame:_1})}

      Comment


      • #4
        We did not say that, but neither would that be the correct criteria for determining whether there is a vulnerability here.

        We would recommend working with a security professional here if you want to pursue this scanner output any further.

        Comment


        • #5
          assuming this code is generated by smartgwt and wanted to know is this really a threat or what is does this code do ? or what is this file ment to be ?
          it will really helpful if you can explain more on this class and methods functional part.

          Comment


          • #6
            Please refer to the documentation. The Messaging module is thoroughly documented.

            If you need yet more help with this scanner and it's likely bogus security warnings, please consider our commercial services.

            Comment


            • #7
              Admin
              ISC_RealtimeMessaging .js i dont see any proper documentation on this .js file.
              let me know what sort of you document your referring to ?
              smart gwt complier has generated this file.

              Comment


              • #8

                1) Also please let me know is it possible to delete this file: war\module\sc\system\development\ISC_RealtimeMessaging.js . if this is safe to delete and wont affect any of the smartgwt functionality , we would definitely wanted to delete this file. 2)Is it possible to avoid to bundle this file ? any configuration which wont generate this file. ?

                Comment

                Working...
                X