Zoltan25
(Zoltán Zilahy)
November 28, 2017, 8:11am
1
Hi All,
I have a security issue. I’m using 7.3.7 at the moment
After a penetration test our Security team had a Reflected cross-site scripting finding.
The request was:
http://10.72.2.207:7001/isa3/APP/global/1/legacy/
And the script was executed in the browser.
I wrote a filter and logged the request URL:
http://10.72.2.207:7001/isa3/APP/global/1/legacy/0/<img%20src=x%20onerror=alert(1)>
So it was escaped.
But because of the missing resource there was an error:
com.vaadin.server.GlobalResourceHandler error
WARNING: No UI found for id 1
And then the script was executed in the browser. So it seems the response gave back the script without escaping.
How could I solve this issue?
Thanks,
Zoli
ollit.1
(Olli Tietäväinen)
November 28, 2017, 11:43am
2
Hi,
which servlet container are you using, Tomcat?
-Olli
ollit.1
(Olli Tietäväinen)
November 28, 2017, 11:54am
4
Okay, I’m not familiar with that one, but try disabling the default error page.
-Olli
ollit.1
(Olli Tietäväinen)
November 28, 2017, 12:14pm
5
The response is coming from the app, but it’s not displayed in the app, or at least that’s how I understand it. You could of course override GlobalResourceHandler if you’d like. This page is for Vaadin 8, but I think the same should still apply in 7.3: https://vaadin.com/docs/v8/framework/advanced/advanced-requesthandler.html
-Olli
Zoltan25
(Zoltán Zilahy)
November 28, 2017, 12:03pm
6
The response is not the default error page but coming from the app:
/APP/global/1/legacy/0/ can not be found
+
the java script is running so I have an alert window in the browser.
Probably the respond should be escaped. But how?
Or override the GlobalResourceHandler?