[英]Where is the DOM based XSS
I received an AppScan security report where the following piece of code was flagged as "DOM Based Cross-Site Scripting": 我收到了一份AppScan安全报告,其中以下代码段被标记为“基于DOM的跨站点脚本”:
i !== null && i.errors ? (i.errors[0].Key === "OrderNotFound" ||
i.errors[0].Key === "ShoppingCartModified") && (alert(i.errors[0].Value),
window.location.href = window.location.href.split("#")[0]) :
t([s("GenericErrorMessage")])
But I can't see where the problem is. 但我看不出问题出在哪里。 I wonder if this could be a false positive.
我想知道这是否可能是假阳性。 This is the original code without minification
这是原始代码,没有缩小
if (jsonResult !== null && jsonResult.errors) {
if (jsonResult.errors[0].Key === "OrderNotFound" ||
jsonResult.errors[0].Key === "ShoppingCartModified") {
alert(jsonResult.errors[0].Value); //the problem is here
window.location.href = window.location.href.split("#")[0]; //or here
}
} else {
//uiErrors is a KnockoutJS observableArray that is
//shown in the page using the text binding avoiding any innerHTML injection.
//res = method that returns an error msg string for a given key.
uiErrors([res("GenericErrorMessage")]);
}
jsonResult is the response of an ajax call and it has the following structure: jsonResult是ajax调用的响应,它具有以下结构:
{
"errors": [
{"Key": "OrderNotFound", "Value": "Your order could not be found."}
]
}
Where both the Key and Value are not created using any user input. 不使用任何用户输入创建键和值的情况。 They are const strings in server code.
它们是服务器代码中的const字符串。
[1 of 1] DOM Based Cross-Site Scripting [1 of 1]基于DOM的跨站点脚本
Severity: High 严重程度:高
Test Type: Application 测试类型:应用
Vulnerable URL: https://www.domain.com/scripts/checkout.js 脆弱的网址: https : //www.domain.com/scripts/checkout.js
CVE ID(s): N/A CVE ID:不适用
CWE ID(s): 79 CWE ID:79
Remediation Tasks: Analyze client side code and sanitize its input sources 修复任务:分析客户端代码并清理其输入源
Variant 1 of 1 [ID=1612185601] 1的变式1 [ID = 1612185601]
Request/Response: 请求/响应:
https://www.domain.com/scripts/checkout.js ? https://www.domain.com/scripts/checkout.js吗? v=m9is46e_hmcr4gnmuj4o6xssdozcytmn9flbuxtvbmy1:
v = m9is46e_hmcr4gnmuj4o6xssdozcytmn9flbuxtvbmy1:
1 : i !== null && i.errors ? 1:i!== null && i.errors? (i.errors[0].Key === "OrderNotFound" || i.errors[0].Key === "ShoppingCartModified") && (alert(i.errors[0].Value), window.location.href = window.location.href.split("#")[0]) : t([s ("GenericErrorMessage")])
(i.errors [0] .Key ===“ OrderNotFound” || i.errors [0] .Key ===“ ShoppingCartModified”)&&(alert(i.errors [0] .Value),window.location。 href = window.location.href.split(“#”)[0]):t([s(“ GenericErrorMessage”)])
Validation In Response: 验证回应:
N/A 不适用
Reasoning: 推理:
N/A 不适用
CWE ID: CWE ID:
79 79
The code you have shown does not appear to have any XSS problem. 您显示的代码似乎没有任何XSS问题。 Either this is a false positive, or the scanner has not properly identified the location of the problem.
这是误报,或者扫描仪没有正确识别问题的位置。
It might be worth re-running the scanner on your application while using completely unminified code so as to get more precise location information; 可能值得在使用完全未缩小的代码的同时在应用程序上重新运行扫描仪,以获取更精确的位置信息; even if it is actually a false positive this would help you understand what the scanner is confused about.
即使实际上是假阳性,这也可以帮助您了解扫描仪的困惑之处。
window.location.href = window.location.href.split("#")[0]; window.location.href = window.location.href.split(“#”)[0];
the above line of code causing you the issue. 上面的代码行导致了您的问题。 technicallyn split("#")[0] will remove values after # character.. but he cache point here is: what if we include injection before "#" character ?
从技术上讲,split(“#”)[0]将删除#个字符后的值。.但他的缓存点是:如果在“#”个字符前包含注入怎么办?
protocal://domainname.com/details.htm/ "injection!@#$XSS" #Helloworld! protocal://domainname.com/details.htm/ “注入!@#$ XSS” #Helloworld!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.