GlobalResourceHandler - security issue

Hi All,

I have a security issue. I’m using 7.3.7 at the moment
After a penetration test our Security team had a Reflected cross-site scripting finding.

The request was:
http://10.72.2.207:7001/isa3/APP/global/1/legacy/
And the script was executed in the browser.

I wrote a filter and logged the request URL:
http://10.72.2.207:7001/isa3/APP/global/1/legacy/0/<img%20src=x%20onerror=alert(1)>

So it was escaped.
But because of the missing resource there was an error:
com.vaadin.server.GlobalResourceHandler error
WARNING: No UI found for id 1

And then the script was executed in the browser. So it seems the response gave back the script without escaping.
How could I solve this issue?

Thanks,
Zoli

Hi,

which servlet container are you using, Tomcat?

-Olli

Hi,

Oracle Weblogic 10.3.5

Zoli

Okay, I’m not familiar with that one, but try disabling the default error page.

-Olli

The response is coming from the app, but it’s not displayed in the app, or at least that’s how I understand it. You could of course override GlobalResourceHandler if you’d like. This page is for Vaadin 8, but I think the same should still apply in 7.3: https://vaadin.com/docs/v8/framework/advanced/advanced-requesthandler.html

-Olli

The response is not the default error page but coming from the app:

/APP/global/1/legacy/0/ can not be found
+
the java script is running so I have an alert window in the browser.

Probably the respond should be escaped. But how?
Or override the GlobalResourceHandler?