Current Vulnerabilities

Nazar10 · September 21, 2016, 7:36am

Hello,

I am currently researching at some webapplication vulnerabilities especially client-side vulnerabilities like xss. I have already read some topics about this issue posted in this forum some years ago. They said it was possible to inject malicious code inside XHTML.

But I would like to know how the current situation seems like?
Is it still possible to use XSS? Could anyone give some code example for a simple vulnerability?

In case it is not vulnerable against XSS anymore - what would be (theoretically) a way to use a client-side vulnerability?

Best regards,
Nazar Medeiros

ollit.1 · October 6, 2016, 8:34am

Hi,

have you looked at this page in the documentation, maybe it’s what you’re after?
https://vaadin.com/docs/-/part/framework/advanced/advanced-security.html#advanced.security.sanitizing

Basically, sometimes unfiltered HTML can be published in the UI, but that should always be a conscious developer decision and the developer’s responsibility is to sanitize the contents.

-Olli

Nazar10 · October 6, 2016, 12:50pm

Hi Olli,I have alread look there.

Ok, I found some interesting information about this issue.

"Vaadin has built-in protection against cross-site scripting (xss) attacks. Vaadin converts all data to use HTML entities before the data is rendered in the user’s browser.You can explicitly allow HTML content in Vaadin components, in which case your application needs to ensure that the data does not contain XSS payloads. (official vaadin documentation)

So I tested some components for an XSS-Attack and behold… allowing HTML-content makes some components like Label,Tooltipand Notifications vulnerable against XSS-Attacks.

I have a sample code:

Label mainLabel = new Label(“<IFRAME SRC="javascript:alert(‘XSS11’);">”); mainLabel.setContentMode(ContentMode.HTML); addComponent(mainLabel);

Well… the interesting part would be to find out, how you would pentest vaadin applications against these kind of attacks in an automatically way. Any ideas?

Best regards, Nazar Medeiros

ollit.1 · October 6, 2016, 12:58pm

Hi,

yes, you appear to have discovered exactly what the above linked document says: if you’ve got a component set up in a that outputs unfiltered HTML, you can pass any HTML to it, including stuff that can execute JavaScript.

I’m no penetration testing expert, but if you’re interested in automatically testing Vaadin applications, you should definitely get
Vaadin TestBench
. I think you’ll find it’s an excellent tool.

Best regards,
Olli

Artem27 · March 11, 2021, 10:07am

Hi,

The current living list of vulnerabilities is available at [vaadin.com/security]
(http://vaadin.com/security).

Kind regards,
Artem