Hi,
I was trying to do the security testing for my application which is built on Vaadin framework version 7.4.3. I am using OWASP ZAP tool for proxy and I tried to do an active scan to one of the request of my applicaiton intercepted by ZAP. The tool is trying to penetrate the vaadin client specific parameters like
v-rtzo,v-tzo,v-browserDetails,v-ch,v-sw,v-dston etc…
In this process the tool has detected below list of issues
Remote OS Command Injection
Buffer Overflow
Format String Error
Upon investigating I found some exceptions in the application log as below
[font=courier new]
java.lang.RuntimeException: Invalid window size received from client
at com.vaadin.server.Page.init(Page.java:662)
at com.vaadin.ui.UI.doInit(UI.java:643)
Caused by: java.lang.NumberFormatException: For input string: “…..............................\Windows\system.ini”
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:569)
[font=arial]
Similar instances in many places, Based on the exception stack trace it seems that the vaadin client parameters are not getting validated for their type, like size or width. I have following doubts on this.
Are these issues valid and applicable and do i need to fix them?
Is so how would i handle them?
Please suggest.
Thanks,
Arun
[/font]
[/font]