No announcement yet.
  • Filter
  • Time
Clear All
new posts

    OWASP scan vulnerability warnings

    We are using SmartGWT 13.0 in a regulated environment that requires security assessments. Tools like OWASP Zap reported possible security vunerabilities.
    Most of them can be fixed by setting the correct Content-security-policy headers etc. but we cannot find a way around a couple of them without compromising functionality:

    - Absence of Anti-CSRF Tokens
    In ISC_Grids.js there are some strings that look like:
    <form action='javascript:void(0)' onsubmit='return false;'>
    that trigger this warning. Looking at the form it does not seem to actually submit anything and CSRF should not be needed, so do you think it is a false positive?

    - Content Security Policy style-src unsafe-inline, script-src unsafe-inline
    In the CSP header we need to set
    style-src 'unsafe-inline'; script-src 'unsafe-inline'
    because SmartGWT generates inline CSS and javascript event handlers. Is there a way to remove the 'unsafe-inline' requirement?

    Last edited by PSimonazzi; 4 May 2022, 01:13. Reason: Added clarification

    Both are false positives.

    On the second, CSP settings are a best practice for people building web sites from basic HTML and CSS. You are using SmartGWT to build web applications in a component-oriented style.

    SmartGWT needs to insert CSS in this way to be able to support certain features and work around certain browser bugs in way that are too complicated to get into, but big picture, this "best practice" does not apply.