checkmarx validation XSS - xss

The application's validateComment embeds untrusted data in the generated output with commentDto, at line 474 of web-api\src\main\java\ru\sbrf....\SomeClass.java. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
The attacker would be able to alter the returned web page by simply providing modified data in the user input request, which is read by the putClientDocuments method at line 33 of web-api\src\main\java\ru\sbrf....\controller\SomeRestController.java. This input then flows through the code straight to the output web page, without sanitization.
This can enable a Reflected Cross-Site Scripting (XSS) attack.
private void validateComment(Comment commentDto) {
commentDto.setText(StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeJavaScript(commentDto.getText())));
commentDto.setSender(StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeJavaScript(commentDto.getSender())));
if (commentDto.getCommentId() == null || !StringUtils.hasLength(commentDto.getText()) ||
commentDto.getIsClient() == null || commentDto.getCreateDate() == null) {
throw new ValidationException("Комментарий заполнен не корректно");
}
if (LocalDateTime.now().isBefore(commentDto.getCreateDate())) {
throw new ValidationException("Дата комментария указана позже текущей даты");
}
}

Related

I m inserting my data uthrough page item using request process it gives an error fetch more then one row please give me a solution

var a = $v('P1995_LUMBER');
if ((a = '1')) {
apex.submit({
request: "CREATE",
set: {
LUMBER: "P1995_LUMBER",
LST_NME: "P1995_LST_NME",
FST_NME: "P1995_FST_NME",
},
});
} else if (a != '1') {
apex.submit({
request: "Update",
set: {
LUMBER: "P1995_LUMBER",
LST_NME: "P1995_LST_NME",
FST_NME: "P1995_FST_NME",
},
});
} else {
alert("bang bang");
}
Couple of things:
JavaScript's equality check is either == or === (more details here). (a = '1') assign '1' to the variable.
It seems like you're not using the apex.submit process correctly. Typically, you would set the item's value
e.g.:
apex.page.submit({
request: "SAVE",
set: {
"P1_DEPTNO": 10,
"P1_EMPNO": 5433
}
} );
Although, by looking at your JavaScript code, I would say you don't even need to use JavaScript.
Whenever you submit a page, all items on it are automatically sent to the server-side. You can then reference them using bind variables. You could then simply have two process, one for the Create and one for the Update, each having the corresponding insert/update statement using the different items on your page.
Usually what you will see is a page with two buttons for Create/Edit. They will have a server-side condition so that only the correct one is displayed.
Try creating a Form type page (form with report) using the wizard, and you'll see how everything is done.
Without seeing the page and the code you're using it's hard to tell what your issue really is, more details would be required.
That code does not have any sql in it so it is impossible to diagnose why you are encountering a TOO_MANY_ROWS exception. Run the page in debug mode and check the debug data - it should show you what statement is throwing the exception. If you need more help, post a proper reproducible case, not a single snipped of code without any context.

How to protect from this (Evilginx)

How to protect from this?
https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/
I have many websites, in many technologies... I need a way to protect.
I'm wondering if there is just something like a check of suspicious IP activities in the aftermath?
Just this? Really?
Can I check my SSL certificate? HSTS? Avoid using nginx from serving my site?
Include something like this on your login page (make sure to set the X-FRAME-OPTIONS header to DENY), changing "Your expected origin" to... well, I'm sure you can figure it out:
var inP = true, t = self, l = "loc" + "ation", o = "o" + "rigin", ex = "Your " + "expected" + " origin", db = document, b = "bod" + "y", h = "in" + "ner" + "HTML";
try {
inP = t[l][o] != ex;
} catch (e) {
inP = true;
}
if (inP) {
db[b][h] = "<p>For security reasons, this site cannot be viewed though a proxy. Please access the site directly at <a href="+ex+" target='_top'>" + ex + "</a>.</p>";
throw new Error("Prevent any other code in this block from running.");
}
It's obfuscated to try and prevent the proxy from noticing what you're doing, but just to be sure, mix it in with some JavaScript vital for the page to run (like one that adds a CSRF token to the login form). That way they can't just block the file. (But randomize the obfuscation to frustrate attempts to filter or parse the file in the proxy).
Add a <noscript> tag explaining that you have to have JavaScript enabled on this page for security reasons.
It's not bulletproof (someone really determined will figure out how to bypass your obfuscation), but it should stop script kiddies who just installed Evilginx from a tutorial.
Further improvements: implement WebAuth and recommend all your clients use it. Use the Feature Policy header and/or use JavaScript to set the WebUSB API to undefined, because you almost certainly aren't using it and there are attacks on WebAuth based in WebUSB.

Is Qooxdoo protected against XSS

I'm looking for informations about security on Qooxdoo.
I want to check my app vs OWASP top 10
A point to review is the XSS OWASP A3 XSS
How can I be sure that Qooxdoo is secure against XSS attacks ?
Does Qooxdoo use some sanitizer tools ?
SOLVED
A short answer from all the discussions. Yes Qooxdoo is XSS safe. By default, no javascript value in any field will be executed.
But, if you use rich=true, you have to check input/output
A common XSS attack vector are situations where an attacker somehow inputs JS code into a web application, such that this code then shows up in the DOM of a webpage and gets thus activated.
To protect against this kind of XSS, you must make sure that the backend server does not send user generated (un-cleaned) html towards the browser ... (this has nothing to do with qooxdoo).
That said, the regular qooxdoo widgets do not in general display data as html so you are reasonably safe even without a clever server. The exception is the qx.ui.basic.Label widget and its descendants. The Label widget has the ability to display HTML directly if you set the rich property. The rich property is set to false by default, but if you enable it, you have to make sure you don't display 'dangerous' html content.
Only very few (non essential) qooxdoo widgets allow you to insert HTML code into the DOM. In these instance you have to take care to sanitize the data. The widgets in question are:
qx.ui.embed.Html
qx.ui.table.cellrenderer.Html
qx.ui.progressive.renderer.table.cell.Html
qx.ui.virtual.cell.Html
qx.ui.virtual.layer.HtmlCell
qx.ui.virtual.layer.HtmlCellSpan
If you do use qx.html.* and qx.bom.*and qx.dom.* objects to work with the DOM directly, you are beyond the reach of qooxoo and have to take care to act accordingly.
Another important attack vector are authentication cookies. Most of the attacks work by getting the browser to send a request together with the cookie to its server without the user being aware it.
Qooxdoo itself does not require you to use cookies at all. Since qooxdoo applications by design run in a single browser window, you can work without ever using cookies. An easy way of implementing something like this is to have a 'server access singleton' which takes care of all the communication with the backend and supplies the access token in a special header added to every request.
The code below could serve as a guide ... for the cookie problem.
qx.Class.define('myapp.Server', {
extend : qx.io.remote.Rpc,
type : "singleton",
construct : function() {
this.base(arguments);
this.set({
timeout : 60000,
url : 'QX-JSON-RPC/',
serviceName : 'default'
});
},
properties: {
sessionCookie: {
init: null,
nullable: true
}
},
members : {
/**
* override the request creation, to add our 'cookie' header
*/
createRequest: function() {
var req = this.base(arguments);
var cookie = this.getSessionCookie();
if (cookie){
req.setRequestHeader('X-Session-Cookie',this.getSessionCookie());
}
return req;
}
}
});
and if you provide a login popup window in myapp.uiLogin you could replace
the standard callAsync by adding the following to popup a login window if the backend is unhappy with your request.
/**
* A asyncCall handler which tries to
* login in the case of a permission exception.
*
* #param handler {Function} the callback function.
* #param methodName {String} the name of the method to call.
* #return {var} the method call reference.
*/
callAsync : function(handler, methodName) {
var origArguments = arguments;
var origThis = this;
var origHandler = handler;
var that = this;
var superHandler = function(ret, exc, id) {
if (exc && exc.code == 6) {
var login = myapp.uiLogin.getInstance();
login.addListenerOnce('login', function(e) {
var ret = e.getData();
that.setSessionCookie(ret.sessionCookie);
origArguments.callee.base.apply(origThis, origArguments);
});
login.open();
return;
}
origHandler(ret, exc, id);
};
if (methodName != 'login') {
arguments[0] = superHandler;
}
arguments.callee.base.apply(this, arguments);
},
take a look at the CallBackery application to see how this works in a real application.

Unit Test case in Grails with mocking the methods

I was trying to write a unit test case for the action 'passwordActive' in 'LoginController'. But i am not sure which all things to be mocked and how to do that.
def passwordActive={
log.error("Entering into Password Active")
println "Password Active -- Params = "+params
String contextPath = request.contextPath
String username = null
User user = null
try{
if (params.username != null && params.username.trim().length() > 0) {
username = params.username
user = User.findByUsername(username)
}
if (user == null) {
log.error("USER not found.")
flash.errorLogin = "Username is incorrect"
redirect(action:"auth")
return
}else if(user.password != params.password){
log.error("USER password is wrong..")
flash.errorLogin = "Please enter valid password.."
redirect(action:"auth")
return
}else if (!user.active) {
log.error("USER is inactive.")
flash.errorLogin = "User in Inactive"
redirect(action:"auth")
return
}
session["userid"] = user.id
String userRole = user.authority.authority
String url = contextPath + "/" + userRole
println "URL = "+url
redirect(url: url, method: 'post', params: params)
return
}
catch(Exception e){
println e.printStackTrace()
}
log.error("Exit into Password Active")
}
i want to write a test case where username does not exist. in that case flash message should be having the message "username incorrect" and i can assert it.
Here what all things should be mocked and how to do that. Could you please explain the working with a small example (preferably related with above code so that it would be easy for me to understand)
Writing your own security implementation is a terribly bad idea. I suggest you take a look at how the Spring Security plugin does it for educational purposes, then just use that plugin - it is mature, flexible and easy to set up.
For said educational purposes, let's see how we could mock above code using an approach that is loosely along the lines of how Spring Security does it: You would move the user lookup into a service/bean as controllers aren't meant to contain any 'business' logic. Say something like this:
class UserProviderService {
User findUser(String username) {
User.findByUsername(username)
}
}
In the controller you would injected it as a dependency (def userProviderService) on which you would then call your own function, e.g. userProviderService.findUser(username). During normal operation Grails would inject your UserProviderService into the controller while in unit tests you can mock it however you like (e.g. controller.userProviderService = [ findByUsername: { -> return null } ] if you for example wanted to test the controller response for an unknown user.
Similar for password comparison you would use a passwordService that would implement password hashing, comparison and so on and you could mock its response before every test. Note that this stuff is again not trivial if you care about security and very easy to mess up so again: don't do it yourself!
The way you structure your code determines how easy or hard it will be to test it. Sure you could mess with User.metaclass and override methods left and right, but that approach usually proves very fragile. By splitting up your code you can make your life easier! How to structure your code so it is testable is definitely something you learn by experience so keep thinking about it!

accessing session data

I am setting a custom session in the catalog/controller/checkout/cart.php controller. All it does, it checks if a value is set or not.
if (isset($this->request->post['no_tax']) && $this->request->post['no_tax'] == '1')
{
$this->session->data['no_tax'] = true;
}
elseif (isset($this->request->post['no_tax']) && $this->request->post['no_tax'] === '0')
{
unset($this->session->data['no_tax']);
}
I can then access this in the catalog/model/shipping/totalbased.php model file,
isset($this->session->data['no_tax'])
The problem is, I need to send additioanl information in the order to the admin, which is done in the catalog/model/checkout/order.php
I've done a check in there:
if(isset($this->session->data['no_tax']) )
{
//do something
}
$mail->send();
The do something, simply adds a PDF. The problem is, the PDF isn't attached.
In the error.txt, I get: 2012-05-14 14:42:11 - PHP Notice: Undefined index: no_tax in /var/www/vhosts/site.com/httpdocs/catalog/order.php
Can I access the session this way?
Thanks
The code looks fine from what I can see, and yes you can access the data like you've shown. The error you've had looks like you have tried to access the session data directly at some point without checking it's set, causing the notice