diff --git a/.github/workflows/build-docker-images-for-testing.yml b/.github/workflows/build-docker-images-for-testing.yml index c5753973ae2..cd9c549494e 100644 --- a/.github/workflows/build-docker-images-for-testing.yml +++ b/.github/workflows/build-docker-images-for-testing.yml @@ -49,8 +49,8 @@ jobs: # export docker images to be used in next jobs below - name: Upload image ${{ matrix.docker-image }} as artifact timeout-minutes: 10 - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: - name: ${{ matrix.docker-image }} + name: built-docker-image-${{ matrix.docker-image }}-${{ matrix.os }} path: ${{ matrix.docker-image }}-${{ matrix.os }}_img retention-days: 1 diff --git a/.github/workflows/fetch-oas.yml b/.github/workflows/fetch-oas.yml index 7928fadd9e8..5ec0aa9abad 100644 --- a/.github/workflows/fetch-oas.yml +++ b/.github/workflows/fetch-oas.yml @@ -51,7 +51,7 @@ jobs: run: docker compose down - name: Upload oas.${{ matrix.file-type }} as artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: oas-${{ matrix.file-type }} path: oas.${{ matrix.file-type }} diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 0b12d25a772..cd8d8072377 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -45,14 +45,18 @@ jobs: # load docker images from build jobs - name: Load images from artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 + with: + path: built-docker-image + pattern: built-docker-image-* + merge-multiple: true - name: Load docker images timeout-minutes: 10 run: |- - docker load -i nginx/nginx-${{ matrix.os }}_img - docker load -i django/django-${{ matrix.os }}_img - docker load -i integration-tests/integration-tests-debian_img + docker load -i built-docker-image/nginx-${{ matrix.os }}_img + docker load -i built-docker-image/django-${{ matrix.os }}_img + docker load -i built-docker-image/integration-tests-debian_img docker images - name: Set integration-test mode diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml index 60f8bc3c38c..a4feb77273f 100644 --- a/.github/workflows/k8s-tests.yml +++ b/.github/workflows/k8s-tests.yml @@ -48,14 +48,18 @@ jobs: minikube status - name: Load images from artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 + with: + path: built-docker-image + pattern: built-docker-image-* + merge-multiple: true - name: Load docker images timeout-minutes: 10 run: |- eval $(minikube docker-env) - docker load -i nginx/nginx-${{ matrix.os }}_img - docker load -i django/django-${{ matrix.os }}_img + docker load -i built-docker-image/nginx-${{ matrix.os }}_img + docker load -i built-docker-image/django-${{ matrix.os }}_img docker images - name: Configure HELM repos diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index d05cb191428..2a4d7ef037a 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Load OAS files from artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 - name: Upload Release Asset - OpenAPI Specification - YAML id: upload-release-asset-yaml diff --git a/.github/workflows/rest-framework-tests.yml b/.github/workflows/rest-framework-tests.yml index f153a368ba9..bd8ca3322fa 100644 --- a/.github/workflows/rest-framework-tests.yml +++ b/.github/workflows/rest-framework-tests.yml @@ -20,13 +20,17 @@ jobs: # load docker images from build jobs - name: Load images from artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 + with: + path: built-docker-image + pattern: built-docker-image-* + merge-multiple: true - name: Load docker images timeout-minutes: 10 run: |- - docker load -i nginx/nginx-${{ matrix.os }}_img - docker load -i django/django-${{ matrix.os }}_img + docker load -i built-docker-image/nginx-${{ matrix.os }}_img + docker load -i built-docker-image/django-${{ matrix.os }}_img docker images # run tests with docker compose diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index 2680e8f1adf..6e100f43b57 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -1,6 +1,5 @@ import json import logging -import os import re from datetime import datetime @@ -803,20 +802,8 @@ class Meta: def validate(self, data): if file := data.get("file"): - ext = os.path.splitext(file.name)[1] # [0] returns path+filename - valid_extensions = settings.FILE_UPLOAD_TYPES - if ext.lower() not in valid_extensions: - if accepted_extensions := f"{', '.join(valid_extensions)}": - msg = ( - "Unsupported extension. Supported extensions are as " - f"follows: {accepted_extensions}" - ) - else: - msg = ( - "File uploads are prohibited due to the list of acceptable " - "file extensions being empty" - ) - raise ValidationError(msg) + # the clean will validate the file extensions and raise a Validation error if the extensions are not accepted + FileUpload(title=file.name, file=file).clean() return data return None diff --git a/dojo/decorators.py b/dojo/decorators.py index b6902b8dc10..8f356b0f623 100644 --- a/dojo/decorators.py +++ b/dojo/decorators.py @@ -144,22 +144,6 @@ def get_parameter_froms_args_kwargs(args, kwargs, parameter): return model_or_id -def on_exception_log_kwarg(func): - def wrapper(self, *args, **kwargs): - try: - return func(self, *args, **kwargs) - - except Exception: - logger.info(f"exception occured at url: {self.driver.current_url}") - logger.info(f"page source: {self.driver.page_source}") - f = open("/tmp/selenium_page_source.html", "w", encoding="utf-8") - f.writelines(self.driver.page_source) - # time.sleep(30) - raise - - return wrapper - - def dojo_ratelimit(key="ip", rate=None, method=UNSAFE, block=False): def decorator(fn): @wraps(fn) diff --git a/dojo/importers/options.py b/dojo/importers/options.py index f458f2a4f36..d90858e6fd4 100644 --- a/dojo/importers/options.py +++ b/dojo/importers/options.py @@ -530,13 +530,15 @@ def validate_tags( *args: list, **kwargs: dict, ) -> list: - return self.validate( + tags = self.validate( "tags", expected_types=[list], required=False, default=[], **kwargs, ) + # Force all tags to be lowercase + return [tag.lower() for tag in tags] def validate_test( self, diff --git a/dojo/models.py b/dojo/models.py index c300483156c..037b22b919f 100644 --- a/dojo/models.py +++ b/dojo/models.py @@ -742,6 +742,28 @@ def get_accessible_url(self, obj, obj_id): return f"access_file/{self.id}/{obj_id}/{obj_type}" + def clean(self): + if not self.title: + self.title = "" + + valid_extensions = settings.FILE_UPLOAD_TYPES + + # why does this not work with self.file.... + if self.file: + file_name = self.file.url + else: + file_name = self.title + if Path(file_name).suffix.lower() not in valid_extensions: + if accepted_extensions := f"{', '.join(valid_extensions)}": + msg = ( + _("Unsupported extension. Supported extensions are as follows: %s") % accepted_extensions + ) + else: + msg = ( + _("File uploads are prohibited due to the list of acceptable file extensions being empty") + ) + raise ValidationError(msg) + class Product_Type(models.Model): diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index a4872d4fd49..1ea644a7dde 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1745,6 +1745,9 @@ def saml2_attrib_map_format(dict): "ELSA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html "ELBA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html "RXSA": "https://errata.rockylinux.org/", # e.g. https://errata.rockylinux.org/RXSA-2024:4928 + "CAPEC": "https://capec.mitre.org/data/definitions/&&.html", # e.g. https://capec.mitre.org/data/definitions/157.html + "CWE": "https://cwe.mitre.org/data/definitions/&&.html", # e.g. https://cwe.mitre.org/data/definitions/79.html + "TEMP": "https://security-tracker.debian.org/tracker/", # e.g. https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF } # List of acceptable file types that can be uploaded to a given object via arbitrary file upload FILE_UPLOAD_TYPES = env("DD_FILE_UPLOAD_TYPES") diff --git a/dojo/templates/notifications/alert/engagement_closed.tpl b/dojo/templates/notifications/alert/engagement_closed.tpl new file mode 100644 index 00000000000..2468c566e30 --- /dev/null +++ b/dojo/templates/notifications/alert/engagement_closed.tpl @@ -0,0 +1,3 @@ +{% load i18n %}{% blocktranslate trimmed with eng_name=engagement.name eng_product=engagement.product %} +The engagement "{{ eng_name }}" has been closed in the product "{{ eng_product }}". +{% endblocktranslate %} \ No newline at end of file diff --git a/dojo/templates/notifications/mail/engagement_closed.tpl b/dojo/templates/notifications/mail/engagement_closed.tpl new file mode 100644 index 00000000000..68eef654865 --- /dev/null +++ b/dojo/templates/notifications/mail/engagement_closed.tpl @@ -0,0 +1,41 @@ +{% load i18n %} +{% load navigation_tags %} +{% load display_tags %} +{% url 'view_product' engagement.product.id as product_url %} +{% url 'view_engagement' engagement.id as engagement_url %} + + + {% autoescape on %} +

+ {% trans "Hello" %}, +

+

+ {% blocktranslate trimmed with engagement_name=engagement.name engagement_product=engagement.product prod_url=product_url|full_url eng_url=engagement_url|full_url%} + The engagement "{{ engagement_name }}" has been closed in the product "{{ engagement_product }}". It can be viewed here: {{product}} / {{ engagement_name }} + {% endblocktranslate %} +

+
+
+ {% trans "Kind regards" %},
+
+ {% if system_settings.team_name %} + {{ system_settings.team_name }} + {% else %} + Defect Dojo + {% endif %} +
+
+

+ {% url 'notifications' as notification_url %} + {% trans "You can manage your notification settings here" %}: {{ notification_url|full_url }} +

+ {% if system_settings.disclaimer and system_settings.disclaimer.strip %} +
+
+ {% trans "Disclaimer" %}
+

{{ system_settings.disclaimer }}

+
+ {% endif %} + {% endautoescape %} + + diff --git a/dojo/templates/notifications/msteams/engagement_closed.tpl b/dojo/templates/notifications/msteams/engagement_closed.tpl new file mode 100644 index 00000000000..3e6bfeed0df --- /dev/null +++ b/dojo/templates/notifications/msteams/engagement_closed.tpl @@ -0,0 +1,44 @@ +{% load i18n %} +{% load display_tags %} +{ + "@context": "https://schema.org/extensions", + "@type": "MessageCard", + "title": "{% trans "Engagement closed" %}", + "summary": "{% trans "Engagement closed" %}", + "sections": [ + { + "activityTitle": "DefectDojo", + "activityImage": "https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/master/dojo/static/dojo/img/chop.png", + "text": "{% trans "An engagement has been closed" %}.", + "facts": [ + { + "name": "{% trans "Product" %}:", + "value": "{{ engagement.product.name }}" + }, + { + "name": "{% trans "Engagement" %}:", + "value": "{{ engagement.name }}" + } + ] + } + {% if system_settings.disclaimer and system_settings.disclaimer.strip %} + ,{ + "activityTitle": "{% trans "Disclaimer" %}", + "text": "{{ system_settings.disclaimer }}" + } + {% endif %} + + ], + "potentialAction": [ + { + "@type": "OpenUri", + "name": "{% trans "View Engagement" %}", + "targets": [ + { + "os": "default", + "uri": "{{ url|full_url }}" + } + ] + } + ] +} \ No newline at end of file diff --git a/dojo/templates/notifications/slack/engagement_closed.tpl b/dojo/templates/notifications/slack/engagement_closed.tpl new file mode 100644 index 00000000000..313c7a1c937 --- /dev/null +++ b/dojo/templates/notifications/slack/engagement_closed.tpl @@ -0,0 +1,10 @@ +{% load i18n %} +{% load display_tags %} +{% blocktranslate trimmed with name=engagement.name eng_product=engagement.product eng_url=url|full_url %} +The engagement "{{ name }}" has been closed in the product "{{ eng_product }}". It can be viewed here: {{ eng_url }} +{% endblocktranslate %} +{% if system_settings.disclaimer and system_settings.disclaimer.strip %} + + {% trans "Disclaimer" %}: + {{ system_settings.disclaimer }} +{% endif %} diff --git a/dojo/templatetags/display_tags.py b/dojo/templatetags/display_tags.py index 7b634febf63..3fa030d90a4 100644 --- a/dojo/templatetags/display_tags.py +++ b/dojo/templatetags/display_tags.py @@ -781,7 +781,12 @@ def vulnerability_url(vulnerability_id): for key in settings.VULNERABILITY_URLS: if vulnerability_id.upper().startswith(key): if "&&" in settings.VULNERABILITY_URLS[key]: - return settings.VULNERABILITY_URLS[key].split("&&")[0] + str(vulnerability_id) + settings.VULNERABILITY_URLS[key].split("&&")[1] + # Process specific keys specially if need + if key in ["CAPEC", "CWE"]: + vuln_id = str(vulnerability_id).replace(f"{key}-", "") + else: + vuln_id = str(vulnerability_id) + return f'{settings.VULNERABILITY_URLS[key].split("&&")[0]}{vuln_id}{settings.VULNERABILITY_URLS[key].split("&&")[1]}' return settings.VULNERABILITY_URLS[key] + str(vulnerability_id) return "" diff --git a/dojo/tools/acunetix/parse_acunetix360_json.py b/dojo/tools/acunetix/parse_acunetix360_json.py index 082bf889a6c..9d688ebc9a7 100644 --- a/dojo/tools/acunetix/parse_acunetix360_json.py +++ b/dojo/tools/acunetix/parse_acunetix360_json.py @@ -15,7 +15,7 @@ def get_findings(self, filename, test): dupes = {} data = json.load(filename) dupes = {} - scan_date = parser.parse(data["Generated"]) + scan_date = parser.parse(data["Generated"], dayfirst=True) text_maker = html2text.HTML2Text() text_maker.body_width = 0 for item in data["Vulnerabilities"]: @@ -96,7 +96,7 @@ def get_findings(self, filename, test): finding.unsaved_req_resp = [{"req": request, "resp": response}] finding.unsaved_endpoints = [Endpoint.from_uri(url)] if item.get("FirstSeenDate"): - parseddate = parser.parse(item["FirstSeenDate"]) + parseddate = parser.parse(item["FirstSeenDate"], dayfirst=True) finding.date = parseddate if dupe_key in dupes: find = dupes[dupe_key] diff --git a/dojo/tools/acunetix/parse_acunetix_xml.py b/dojo/tools/acunetix/parse_acunetix_xml.py index eb1e64d16a4..c744903b2ed 100644 --- a/dojo/tools/acunetix/parse_acunetix_xml.py +++ b/dojo/tools/acunetix/parse_acunetix_xml.py @@ -26,7 +26,7 @@ def get_findings(self, filename, test): # get report date if scan.findtext("StartTime") and "" != scan.findtext("StartTime"): report_date = dateutil.parser.parse( - scan.findtext("StartTime"), + scan.findtext("StartTime"), dayfirst=True, ).date() for item in scan.findall("ReportItems/ReportItem"): finding = Finding( diff --git a/dojo/tools/awssecurityhub/compliance.py b/dojo/tools/awssecurityhub/compliance.py index 5fea1a8a786..1f97da12b7b 100644 --- a/dojo/tools/awssecurityhub/compliance.py +++ b/dojo/tools/awssecurityhub/compliance.py @@ -1,4 +1,4 @@ -from datetime import datetime +import datetime from dojo.models import Finding @@ -31,11 +31,11 @@ def get_item(self, finding: dict, test): active = False if finding.get("LastObservedAt", None): try: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") except Exception: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") else: - mitigated = datetime.utcnow() + mitigated = datetime.datetime.now(datetime.UTC) else: mitigated = None is_Mitigated = False diff --git a/dojo/tools/awssecurityhub/guardduty.py b/dojo/tools/awssecurityhub/guardduty.py index 40b26649500..fbc1346697e 100644 --- a/dojo/tools/awssecurityhub/guardduty.py +++ b/dojo/tools/awssecurityhub/guardduty.py @@ -1,4 +1,4 @@ -from datetime import datetime +import datetime from dojo.models import Endpoint, Finding @@ -25,11 +25,11 @@ def get_item(self, finding: dict, test): is_Mitigated = True if finding.get("LastObservedAt", None): try: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") except Exception: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") else: - mitigated = datetime.utcnow() + mitigated = datetime.datetime.now(datetime.UTC) description = f"This is a GuardDuty Finding\n{finding.get('Description', '')}" + "\n" description += f"**AWS Finding ARN:** {finding_id}\n" if finding.get("SourceUrl"): diff --git a/dojo/tools/awssecurityhub/inspector.py b/dojo/tools/awssecurityhub/inspector.py index 61b18be5bf8..3b0264bf951 100644 --- a/dojo/tools/awssecurityhub/inspector.py +++ b/dojo/tools/awssecurityhub/inspector.py @@ -1,4 +1,4 @@ -from datetime import datetime +import datetime from dojo.models import Endpoint, Finding @@ -48,11 +48,11 @@ def get_item(self, finding: dict, test): active = False if finding.get("LastObservedAt", None): try: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") except Exception: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") else: - mitigated = datetime.utcnow() + mitigated = datetime.datetime.now(datetime.UTC) title_suffix = "" hosts = [] for resource in finding.get("Resources", []): diff --git a/dojo/tools/burp_enterprise/parser.py b/dojo/tools/burp_enterprise/parser.py index aab8e565242..052d8a80f84 100644 --- a/dojo/tools/burp_enterprise/parser.py +++ b/dojo/tools/burp_enterprise/parser.py @@ -1,7 +1,7 @@ import logging import re -from lxml import etree +from lxml import etree, html from dojo.models import Endpoint, Finding @@ -9,6 +9,16 @@ class BurpEnterpriseParser: + vulnerability_list_xpath = ( + "/html/body/div/div[contains(@class, 'section details')]/div[contains(@class, 'issue-container')]" + ) + table_contents_xpath = "/html/body/div/div[contains(@class, 'section') and .//table[contains(@class, 'issue-table')]]" + description_headers = ["issue detail", "issue description"] + request_response_headers = ["request", "response"] + impact_headers = ["issue background", "issue remediation"] + mitigation_headers = ["remediation detail", "remediation background"] + references_headers = ["vulnerability classifications", "references"] + def get_scan_types(self): return ["Burp Enterprise Scan"] @@ -19,230 +29,231 @@ def get_description_for_scan_types(self, scan_type): return "Import Burp Enterprise Edition findings in HTML format" def get_findings(self, filename, test): - parser = etree.HTMLParser() - tree = etree.parse(filename, parser) + tree = html.parse(filename) if tree: return self.get_items(tree, test) return () - def get_content(self, container): + def _get_endpoints_title_severity_mapping(self, tree: etree.ElementTree) -> dict[str, str]: + """ + Construct a dict that contains mappings of endpoints and severities by a a title key. + + Example: { + "finding-title": { + "title": "finding-title", + "severity: "Medium", + "cwe": None, + "endpoints: [ + "http://127.0.0.1/path/A", + "http://127.0.0.1/path/B", + ], + } + } + """ + finding_mapping = {} + table_contents = tree.xpath(self.table_contents_xpath) + for table in table_contents: + # There is only one header in this div, so we will get a string back here + base_endpoint = table.xpath("h1")[0].text.replace("Issues found on ", "").removesuffix("/") + # Iterate over the table of endpoint paths and severities + title = None + for entry in table.xpath("table[contains(@class, 'issue-table')]/tbody/tr"): + # The etree.element with a class of "issue-type-row" is the title of the finding + if "issue-type-row" in entry.classes: + # The structure of this section is consistent + # ... [number-of-instances] + title = " ".join(entry.xpath("td")[0].text.strip().split(" ")[:-1]) + # Add the finding title as a new entry if needed + if title not in finding_mapping: + finding_mapping[title] = { + "title": title, + "severity": None, + "cwe": None, + "endpoints": [], + } + else: + # The structure of this section is consistent + # ... + # ... + # Quick check to determine if we need to move to the + path = entry.xpath("td")[0].text.strip() + severity = entry.xpath("td")[1].text.strip() + # Update the finding_mapping + finding_mapping[title]["endpoints"].append(f"{base_endpoint}/{path.removeprefix('/')}") + finding_mapping[title]["severity"] = severity + + return finding_mapping + + def _get_content(self, container: etree.Element): + # quick exit in case container is not found s = "" + if container is None or (isinstance(container, list) and len(list) == 0): + return s + # Do some extra processing as needed if ( container.tag == "div" and container.text is not None and not container.text.isspace() and len(container.text) > 0 ): - s += ( + s += re.sub(r"[ \t]+", " ", ( "".join(container.itertext()) .strip() .replace("Snip", "\n<-------------- Snip -------------->") .replace("\t", "") - ) + )) else: for elem in container.iterchildren(): if elem.text is not None and elem.text.strip() != "": + stripped_text = elem.text.strip() if elem.tag == "a": - s += ( - "(" - + elem.text - + ")[" - + elem.attrib["href"] - + "]" - + "\n" - ) + value = "[" + stripped_text + "](" + elem.attrib["href"] + ")" + "\n" elif elem.tag == "p": - s += elem.text + "\n" + value = elem.text_content().strip().replace("\n", "") + elif elem.tag == "b": + value = f"**{stripped_text}**" elif elem.tag == "li": - s += "* " - if elem.text is not None: - s += elem.text + "\n" - elif elem.text.isspace(): - s += list(elem.itertext())[0] + value = "- " + if stripped_text is not None: + value += stripped_text + "\n" + elif stripped_text.isspace(): + value = list(elem.itertext())[0] elif elem.tag == "div" or elem.tag == "span": - s += elem.text.strip() + "\n" + value = elem.text_content().strip().replace("\n", "") + "\n" else: continue + s += re.sub(r"\s+", " ", value) else: - s += self.get_content(elem) + s += self._get_content(elem) return s - # Get the endpoints and severities associated with each vulnerability - def pre_allocate_items(self, tree): - items = [] - endpoint_text = tree.xpath( - "/html/body/div/div[contains(@class, 'section')]/h1", - ) - severities = tree.xpath( - "/html/body/div/div[contains(@class, 'section')]/table[contains(@class, 'issue-table')]/tbody", - ) - endpoint_text = [ - endpoint - for endpoint in endpoint_text - if ("Issues found" in "".join(endpoint.itertext()).strip()) - ] - - for index in range(len(severities)): - url = endpoint_text[index].text[16:] - sev_table = list(severities[index].iter("tr")) - - title = "" - endpoint = "" - for item in sev_table: - item_list = list(item.iter("td")) - if len(item_list) == 1: - title_list = item_list[0].text.strip().split(" ") - title = " ".join(title_list[:-1]) - else: - endpoint = item_list[0].text.strip() - severity = item_list[1].text.strip() - vuln = {} - vuln["Severity"] = severity - vuln["Title"] = title - vuln["Description"] = "" - vuln["Impact"] = "" - vuln["Mitigation"] = "" - vuln["References"] = "" - vuln["CWE"] = "" - vuln["Response"] = "" - vuln["Request"] = "" - vuln["Endpoint"] = [url + endpoint] - vuln["URL"] = url - items.append(vuln) - return items - - def get_items(self, tree, test): - # Check that there is at least one vulnerability (the vulnerabilities - # table is absent when no vuln are found) - vulns = tree.xpath( - "/html/body/div/div[contains(@class, 'section details')]/div[contains(@class, 'issue-container')]", - ) - if len(vulns) == 0: - return [] - - dict_index = 0 - description = ["Issue detail:", "Issue description"] - reqrsp = ["Request", "Response"] - impact = ["Issue background", "Issue remediation"] - mitigation = ["Remediation detail:", "Remediation background"] - references = ["Vulnerability classifications", "References"] - vuln = None - merge = False - items = self.pre_allocate_items(tree) - for issue in vulns: - elems = list(issue.iterchildren()) - curr_vuln = items[dict_index] - if vuln is None or ( - curr_vuln["Title"] != vuln["Title"] - or curr_vuln["URL"] != vuln["URL"] - ): - vuln = curr_vuln - merge = False - else: - if curr_vuln["Endpoint"][0] not in vuln["Endpoint"]: - vuln_list = vuln["Endpoint"] - vuln_list.append(curr_vuln["Endpoint"][0]) - vuln["Endpoint"] = vuln_list - merge = True - - for index in range(3, len(elems), 2): - primary, secondary = ( - elems[index].text.strip(), - elems[index + 1], - ) - field = self.get_content(secondary) - webinfo = primary.split(":")[0] - details = "**" + primary + "**\n" + field + "\n\n" - # Description - if primary in description: - if merge: - if field != vuln["Description"].split("\n")[1]: - vuln["Description"] = ( - vuln["Description"] + field + "\n\n" - ) - else: - vuln["Description"] = vuln["Description"] + details - # Impact - if primary in impact and not merge: - vuln["Impact"] = vuln["Impact"] + details - # Mitigation - if primary in mitigation and not merge: - vuln["Mitigation"] = vuln["Mitigation"] + details - # References and CWE - if primary in references and not merge: - if len(vuln["CWE"]) < 1 and field.find("CWE") != -1: - vuln["CWE"] += str(self.get_cwe(field)) - vuln["References"] = vuln["References"] + details - # Request and Response pairs - if webinfo in reqrsp: - if webinfo == "Request": - vuln["Request"] = vuln["Request"] + field + "SPLITTER" + def _format_bulleted_lists(self, finding_details: dict, div_element: etree.ElementTree) -> tuple[str, list[str]]: + """Create a mapping of bulleted lists with links into a formatted list, as well as the raw values.""" + formatted_string = "" + content_list = [] + for a_tag in div_element.xpath("ul/li/a"): + content = re.sub(r"\s+", " ", a_tag.text.strip()) + link = a_tag.attrib["href"] + formatted_string += f"- [{content}]({link})\n" + content_list.append(content) + + return formatted_string, content_list + + def _set_or_append_content(self, finding_details: dict, header: str, div_element: etree.ElementTree) -> None: + """Determine whether we should set or append content in a given place.""" + header = header.replace(":", "") + field = None + # description + if header.lower() in self.description_headers: + field = "description" + content = self._get_content(div_element) + elif header.lower() in self.impact_headers: + field = "impact" + content = self._get_content(div_element) + elif header.lower() in self.mitigation_headers: + field = "mitigation" + content = self._get_content(div_element) + elif header.lower() in self.references_headers: + field = "references" + content, data_list = self._format_bulleted_lists(finding_details, div_element) + # process the vulnerability_ids if we have them + if header.lower() == "vulnerability classifications": + for item in data_list: + cleaned_item = item.split(":")[0] + if ( + finding_details["cwe"] is None + and (cwe_search := re.search("CWE-([0-9]*)", cleaned_item, re.IGNORECASE)) + ): + finding_details["cwe"] = int(cwe_search.group(1)) + if "vulnerability_ids" not in finding_details: + finding_details["vulnerability_ids"] = [cleaned_item] else: - vuln["Response"] = ( - vuln["Response"] + field + "SPLITTER" - ) - - dict_index += 1 - - return list(self.create_findings(items, test)) - - def get_cwe(self, vuln_references): - # Match only the first CWE! - vuln_references = vuln_references.split(":")[0] - cweSearch = re.search("CWE-([0-9]*)", vuln_references, re.IGNORECASE) - if cweSearch: - return cweSearch.group(1) - return 0 - - def create_findings(self, items, test): - # Dictonary to hold the aggregated findings with: - # - key: the concatenated aggregate keys - # - value: the finding - dupes = {} - for details in items: - if details.get("Description") == "": - continue - aggregateKeys = "{}{}{}{}".format( - details.get("Title"), - details.get("Description"), - details.get("CWE"), - details.get("Endpoint"), - ) - detail_cwe = None - if details.get("CWE"): - detail_cwe = int(details.get("CWE")) - find = Finding( - title=details.get("Title"), - description=details.get("Description"), + finding_details["vulnerability_ids"].append(cleaned_item) + elif header.lower() in self.request_response_headers: + field = "request_response" + content = self._get_content(div_element) + if header.lower() == "request": + if "requests" not in finding_details: + finding_details["requests"] = [content] + else: + finding_details["requests"].append(content) + if header.lower() == "response": + if "responses" not in finding_details: + finding_details["responses"] = [content] + else: + finding_details["responses"].append(content) + return + + else: + return + + formatted_content = f"**{header}**:\n{content}\n" + if (existing_field := finding_details.get(field)) is not None: + if header not in existing_field: + finding_details[field] += f"{formatted_content}\n---\n" + else: + finding_details[field] = f"{formatted_content}\n---\n" + + def _parse_elements_by_h3_element(self, issue: etree.Element, finding_details: dict) -> None: + for header_element in issue.xpath("h3"): + if (div_element := header_element.getnext()) is not None and div_element.tag == "div": + # Determine where to put the content + self._set_or_append_content(finding_details, header_element.text.strip(), div_element) + + def get_items(self, tree: etree.ElementTree, test): + finding_details = self._get_endpoints_title_severity_mapping(tree) + for issue in tree.xpath(self.vulnerability_list_xpath): + # Get the title of the current finding + title = issue.xpath("h2")[0].text.strip() + # Fetch the bodies of the issues and process them + self._parse_elements_by_h3_element(issue, finding_details[title]) + # Accommodate a newer format where request/response pairs in a separate div + for request_response_div in issue.xpath("div[contains(@class, 'evidence-container')]"): + # Fetch the bodies of the issues and process them + self._parse_elements_by_h3_element(request_response_div, finding_details[title]) + # Merge the requests and response into a single dict + requests = finding_details[title].pop("requests", []) + responses = finding_details[title].pop("responses", []) + finding_details[title]["request_response_pairs"] = [ + { + "request": requests[i] if i < len(requests) else None, + "response": responses[i] if i < len(responses) else None, + } + for i in range(max(len(requests), len(responses))) + ] + + return list(self.create_findings(finding_details, test)) + + def create_findings(self, findings_dict: dict[str, dict], test): + # Pop off a few items to be processes after the finding is saved + findings = [] + for finding_dict in findings_dict.values(): + endpoints = finding_dict.pop("endpoints", []) + request_response_pairs = finding_dict.pop("request_response_pairs", []) + vulnerability_ids = finding_dict.pop("vulnerability_ids", []) + # Crete the finding from the rest of the dict + finding = Finding( test=test, - severity=details.get("Severity"), - mitigation=details.get("Mitigation"), - references=details.get("References"), - impact=details.get("Impact"), - cwe=detail_cwe, false_p=False, duplicate=False, out_of_scope=False, mitigated=None, static_finding=False, dynamic_finding=True, - nb_occurences=1, + **finding_dict, ) + # Add the unsaved versions of the other things + # Endpoints + finding.unsaved_endpoints = [Endpoint.from_uri(endpoint) for endpoint in endpoints] + # Request Response Pairs - if len(details.get("Request")) > 0: - requests = details.get("Request").split("SPLITTER")[:-1] - responses = details.get("Response").split("SPLITTER")[:-1] - unsaved_req_resp = [] - for index in range(len(requests)): - unsaved_req_resp.append( - {"req": requests[index], "resp": responses[index]}, - ) - find.unsaved_req_resp = unsaved_req_resp - - find.unsaved_endpoints = [] - dupes[aggregateKeys] = find - - for url in details.get("Endpoint"): - find.unsaved_endpoints.append(Endpoint.from_uri(url)) + finding.unsaved_req_resp = [ + {"req": request_response.get("request"), "resp": request_response.get("response")} + for request_response in request_response_pairs + ] + # Vulnerability IDs + finding.unsaved_vulnerability_ids = vulnerability_ids + # Add the finding to the final list + findings.append(finding) - return list(dupes.values()) + return findings diff --git a/dojo/tools/checkmarx/parser.py b/dojo/tools/checkmarx/parser.py index 0d5607f5095..6e832723f95 100644 --- a/dojo/tools/checkmarx/parser.py +++ b/dojo/tools/checkmarx/parser.py @@ -368,7 +368,7 @@ def _parse_date(self, value): if isinstance(value, str): return parser.parse(value).date() if isinstance(value, dict) and isinstance(value.get("seconds"), int): - return datetime.datetime.utcfromtimestamp(value.get("seconds")).date() + return datetime.datetime.fromtimestamp(value.get("seconds"), datetime.UTC).date() return None def _get_findings_json(self, file, test): diff --git a/dojo/tools/checkmarx_one/parser.py b/dojo/tools/checkmarx_one/parser.py index f8896c0b271..7a85cd521d5 100644 --- a/dojo/tools/checkmarx_one/parser.py +++ b/dojo/tools/checkmarx_one/parser.py @@ -22,7 +22,7 @@ def _parse_date(self, value): if isinstance(value, str): return parser.parse(value) if isinstance(value, dict) and isinstance(value.get("seconds"), int): - return datetime.datetime.utcfromtimestamp(value.get("seconds")) + return datetime.datetime.fromtimestamp(value.get("seconds"), datetime.UTC) return None def _parse_cwe(self, cwe): diff --git a/dojo/tools/contrast/parser.py b/dojo/tools/contrast/parser.py index 3fe340144a8..6409c0eea3d 100644 --- a/dojo/tools/contrast/parser.py +++ b/dojo/tools/contrast/parser.py @@ -41,9 +41,7 @@ def get_findings(self, filename, test): severity = row.get("Severity") if severity == "Note": severity = "Info" - date_raw = datetime.datetime.utcfromtimestamp( - int(row.get("First Seen")) / 1000, - ) + date_raw = datetime.datetime.fromtimestamp(int(row.get("First Seen")) / 1000, datetime.UTC) finding = Finding( title=title.split(" from")[0], date=date_raw, diff --git a/dojo/tools/dependency_check/parser.py b/dojo/tools/dependency_check/parser.py index 1d4a167429d..8f87042b63a 100644 --- a/dojo/tools/dependency_check/parser.py +++ b/dojo/tools/dependency_check/parser.py @@ -1,7 +1,7 @@ +import datetime import hashlib import logging import re -from datetime import datetime import dateutil from cpe import CPE @@ -302,7 +302,7 @@ def get_finding_from_vulnerability( mitigation + f"Update {component_name}:{component_version} to at least the version recommended in the description" ) - mitigated = datetime.utcnow() + mitigated = datetime.datetime.now(datetime.UTC) is_Mitigated = True active = False tags.append("suppressed") diff --git a/dojo/tools/generic/json_parser.py b/dojo/tools/generic/json_parser.py index 296209f3d23..0a09a9deda2 100644 --- a/dojo/tools/generic/json_parser.py +++ b/dojo/tools/generic/json_parser.py @@ -1,4 +1,8 @@ -from dojo.models import Endpoint, Finding +import base64 + +from django.core.files.base import ContentFile + +from dojo.models import Endpoint, FileUpload, Finding from dojo.tools.parser_test import ParserTest @@ -103,6 +107,11 @@ def _get_test_json(self, data): endpoint = Endpoint(**endpoint_item) finding.unsaved_endpoints.append(endpoint) if unsaved_files: + for unsaved_file in unsaved_files: + data = base64.b64decode(unsaved_file.get("data")) + title = unsaved_file.get("title", "") + FileUpload(title=title, file=ContentFile(data)).clean() + finding.unsaved_files = unsaved_files if finding.cve: finding.unsaved_vulnerability_ids = [finding.cve] diff --git a/dojo/tools/ms_defender/parser.py b/dojo/tools/ms_defender/parser.py index ad909168c26..cfa9db5c0cf 100644 --- a/dojo/tools/ms_defender/parser.py +++ b/dojo/tools/ms_defender/parser.py @@ -131,7 +131,7 @@ def process_zip(self, vulnerability, machine): self.findings.append(finding) finding.unsaved_endpoints = [] if machine["computerDnsName"] is not None: - finding.unsaved_endpoints.append(Endpoint(host=str(machine["computerDnsName"]))) + finding.unsaved_endpoints.append(Endpoint(host=str(machine["computerDnsName"]).replace(" ", "").replace("(", "_").replace(")", "_"))) if machine["lastIpAddress"] is not None: finding.unsaved_endpoints.append(Endpoint(host=str(machine["lastIpAddress"]))) if machine["lastExternalIpAddress"] is not None: diff --git a/dojo/tools/semgrep/parser.py b/dojo/tools/semgrep/parser.py index 883fcc4f31a..39f72f8b431 100644 --- a/dojo/tools/semgrep/parser.py +++ b/dojo/tools/semgrep/parser.py @@ -137,15 +137,8 @@ def convert_severity(self, val): return "Medium" if upper_value in ["ERROR", "HIGH"]: return "High" - if upper_value == "LOW": + if upper_value in ["LOW", "INFO"]: return "Low" - if upper_value == "INFO": - if "WARNING" == val.upper(): - return "Medium" - if "ERROR" == val.upper() or "HIGH" == val.upper(): - return "High" - if "INFO" == val.upper(): - return "Info" msg = f"Unknown value for severity: {val}" raise ValueError(msg) diff --git a/dojo/tools/wpscan/parser.py b/dojo/tools/wpscan/parser.py index 95c0a8c4c20..2ba6b5016b7 100644 --- a/dojo/tools/wpscan/parser.py +++ b/dojo/tools/wpscan/parser.py @@ -1,6 +1,6 @@ +import datetime import hashlib import json -from datetime import datetime from dojo.models import Endpoint, Finding @@ -89,7 +89,7 @@ def get_findings(self, file, test): report_date = None if "start_time" in tree: - report_date = datetime.utcfromtimestamp(tree.get("start_time")) + report_date = datetime.datetime.fromtimestamp(tree.get("start_time"), datetime.UTC) dupes = {} # manage plugin findings diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index b61326d1b8d..9d7a99e3609 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "2.41.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.159-dev +version: 1.6.160-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index 14256e88190..c3e0026c2ef 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -102,8 +102,12 @@ Create chart name and version as used by the chart label. {{- end -}} {{- define "initializer.jobname" -}} +{{- if .Values.initializer.staticName -}} +{{ .Release.Name }}-initializer +{{- else -}} {{ .Release.Name }}-initializer-{{- printf "%s" now | date "2006-01-02-15-04" -}} {{- end -}} +{{- end -}} {{/* Creates the array for DD_ALLOWED_HOSTS in configmap diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index b078a1fdc64..7ed4abbde51 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -66,6 +66,10 @@ spec: - secretRef: name: {{ $fullName }} optional: true + env: + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 8 }} + {{- end }} containers: {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -118,8 +122,8 @@ spec: name: {{ .Values.postgresqlha.postgresql.existingSecret }} key: postgresql-postgres-password {{- end }} - {{- if .Values.extraEnv }} - {{- toYaml .Values.extraEnv | nindent 8 }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 8 }} {{- end }} resources: {{- toYaml .Values.initializer.resources | nindent 10 }} diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index b2d0422bc2c..f480810d432 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -365,6 +365,11 @@ initializer: # @type: array extraVolumes: [] + # staticName defines whether name of the job will be the same (e.g., "defectdojo-initializer") + # or different every time - generated based on current time (e.g., "defectdojo-initializer-2024-11-11-18-57") + # This might be handy for ArgoCD deployments + staticName: false + postgresql: enabled: true auth: diff --git a/requirements.txt b/requirements.txt index 44de6f7f145..8a7d6ac28d9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.54 # Required for Celery Broker AWS (SQS) support +boto3==1.35.56 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.3 fontawesomefree==6.6.0 diff --git a/ruff.toml b/ruff.toml index 26186e34e9a..953c7e96f2c 100644 --- a/ruff.toml +++ b/ruff.toml @@ -41,7 +41,7 @@ select = [ "UP", "YTT", "ASYNC", - "S2", "S5", "S7", "S101", "S104", "S105", "S112", "S311", + "S2", "S5", "S7", "S101", "S104", "S105", "S108", "S112", "S311", "FBT001", "FBT003", "A003", "A004", "A006", "COM", @@ -102,6 +102,7 @@ preview = true [lint.per-file-ignores] "unittests/**" = [ "S105", # hardcoded passwords in tests are fine + "S108", # tmp paths mentioned in tests are fine ] [lint.flake8-boolean-trap] diff --git a/unittests/scans/acunetix/issue_11206.json b/unittests/scans/acunetix/issue_11206.json new file mode 100644 index 00000000000..829c2083aed --- /dev/null +++ b/unittests/scans/acunetix/issue_11206.json @@ -0,0 +1,57 @@ +{ + "Generated": "25/06/2021 09:59 AM", + "Target": { + "Duration": "00:00:41.3968969", + "Initiated": "25/06/2021 09:53 AM", + "ScanId": "663eb6e88d9e4f4d9e00ad52017aa66d", + "Url": "http://php.testsparker.com/" + }, + "Vulnerabilities": [ + { + "Certainty": 100, + "Classification": null, + "Confirmed": true, + "Description": "

Acunetix360 identified a cookie not marked as HTTPOnly.

\n

HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.

", + "ExploitationSkills": "", + "ExternalReferences": "
", + "ExtraInformation": [ + { + "Name": "Identified Cookie(s)", + "Value": "PHPSESSID" + }, + { + "Name": "Cookie Source", + "Value": "HTTP Header" + }, + { + "Name": "Page Type", + "Value": "Login" + } + ], + "FirstSeenDate": "12/06/2021 12:30 PM", + "HttpRequest": { + "Content": "GET /auth/login.php HTTP/1.1\r\nHost: php.testsparker.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nCache-Control: no-cache\r\nReferer: http://php.testsparker.com/auth/\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36\r\nX-Scanner: Acunetix360\r\n\r\n", + "Method": "GET", + "Parameters": [] + }, + "HttpResponse": { + "Content": "HTTP/1.1 200 OK\r\nSet-Cookie: PHPSESSID=e52a07f0fe53c0294ae211bc4481332d; path=/\r\nServer: Apache/2.2.8 (Win32) PHP/5.2.6\r\nContent-Length: 3061\r\nX-Powered-By: PHP/5.2.6\r\nPragma: no-cache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\n\n\n", + "Duration": 41.4849, + "StatusCode": 200 + }, + "LookupId": "735f4503-e9eb-4b4c-4306-ad49020a4c4b", + "Impact": "
During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.
", + "KnownVulnerabilities": [], + "LastSeenDate": "25/06/2021 01:52 AM", + "Name": "Cookie Not Marked as HttpOnly", + "ProofOfConcept": "", + "RemedialActions": "
\n
    \n
  1. See the remedy for solution.
  2. \n
  3. Consider marking all of the cookies used by the application as HTTPOnly. (After these changes javascript code will not be able to read cookies.)
  4. \n
\n
", + "RemedialProcedure": "
Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.
", + "RemedyReferences": "", + "Severity": "Medium", + "State": "Present", + "Type": "CookieNotMarkedAsHttpOnly", + "Url": "http://php.testsparker.com/auth/login.php" + } + ] +} \ No newline at end of file diff --git a/unittests/scans/burp_enterprise/many_vulns_updated_format.html b/unittests/scans/burp_enterprise/many_vulns_updated_format.html new file mode 100644 index 00000000000..614ac1413bf --- /dev/null +++ b/unittests/scans/burp_enterprise/many_vulns_updated_format.html @@ -0,0 +1,7391 @@ + + + + Scan Remediation Report #150 + + + + + + +
+
+ +
+
+

Scan Remediation

+

Report

+
+ +
+ +
+ Generated by Burp Suite Enterprise Edition | 2024-11-06 12:41 PM +
+ +
+ + + + + + + +
+
Site name:
+
m
+
Scanned:
+ + + + + + + + + + + +
+
Start:
+
+
2024-11-05 4:59 PM
+
+
End:
+
+
2024-11-05 5:13 PM
+
+
Duration:
+
13m 53s
+
Status:
+
Completed
+
+
Start URLs:
+
https://instance.example.com/fe/m3/m-login
+ +
In-scope URL prefixes:
+
https://instance.example.com/fe/m3/
+
https://instance.example.com/m/v3/
+ +
Application logins:
+
DEMOMX m login only (no clerk)
+ +
Reference:
+ +
+ #150 +
+
+
+ +
+ + + + + + + +
+

Issues by severity

+ + + + + + + + + + + + + + + + + + + + + + + +
High:0
Medium:0
Low:11
Information:44
Total issues found:55
+
+

Scan statistics

+ + + + + + + + + + + + + + + + + + + + + + + +
Discovered URLs:44
Audited URLs without errors:9
Audited URLs with errors:1
Requests made:12354
Network errors:28
+
+
+ +
+ +
+

Issues found on https://instance.example.com


URLs By issue typeSeverityConfidenceMore detail
Strict transport security not enforced [7]
LowCertain>>
LowCertain>>
LowCertain>>
LowCertain>>
LowCertain>>
LowCertain>>
LowCertain>>
Open redirection (DOM-based) [4]
LowTentative>>
LowTentative>>
LowTentative>>
LowTentative>>
TLS certificate [1]
InfoCertain>>
Content security policy: allows untrusted script execution [7]
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
Content security policy: allows untrusted style execution [7]
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
Content security policy: allows form hijacking [7]
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
Cross-origin resource sharing [6]
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
Cross-origin resource sharing: arbitrary origin trusted [6]
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
Robots.txt file [1]
InfoCertain>>
Cacheable HTTPS response [1]
InfoCertain>>
DOM data manipulation (DOM-based) [6]
InfoFirm>>
InfoFirm>>
InfoFirm>>
InfoFirm>>
InfoFirm>>
InfoFirm>>
+
+
+ +
+

Issues found on http://instance.example.com

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URLs By issue typeSeverityConfidenceMore detail
Input returned in response (reflected) [2]
InfoCertain>>
InfoCertain>>
+
+ +
+ +
+

More details for https://instance.example.com

+
+ +
+
+ +

Strict transport security not enforced

+ /fe/m3/m-login + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/action-log + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 118 + + {"name":"mLoginAttempt","category":"mConsolefe","data":{"deviceType":"Desktop","mName":""}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/event-log + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730843990,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:50 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/login-m-by-name + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/request-m-password-reset + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/translations + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/translations/locales + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.href and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.href and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    +
    https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'"/iepuap2p8w/><iepuap2p8w/\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'"/iepuap2p8w/><iepuap2p8w/\>fwqsx8nplw&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Cannot read properties of null (reading 'once')","name":"TypeError","constructor_name":"TypeError","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&","query_string":"?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&","user_ip":"$remote_ip"},"client":{"runtime_ms":53,"timestamp":1730843997,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"TypeError","message":"Cannot read properties of null (reading 'once')","description":"Uncaught TypeError: Cannot read properties of null (reading 'once')"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202367,"method":"[anonymous]","colno":10},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202406,"method":"InfoReceiver.doXhr","colno":11}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"}]},"context":""}}
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get href (<anonymous>:1:249544)
    +at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
    +at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
    +at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
    +at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
    +at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)
    +at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)
    +at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.XMhUr (<anonymous>:1:544502)
    +at _0x13dcf0 (<anonymous>:1:558761)
    +at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
    +at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
    +at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
    +at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
    +at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
    +at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
    +at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
  • + +
+
+
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.search and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    +
    ?kpiqhi5l29=kpiqhi5l29%27%22`'"/kpiqhi5l29/><kpiqhi5l29/\>ba6kcvqqrk&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Cannot read properties of null (reading 'once')","name":"TypeError","constructor_name":"TypeError","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&","query_string":"?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&","user_ip":"$remote_ip"},"client":{"runtime_ms":53,"timestamp":1730843997,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"TypeError","message":"Cannot read properties of null (reading 'once')","description":"Uncaught TypeError: Cannot read properties of null (reading 'once')"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202367,"method":"[anonymous]","colno":10},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202406,"method":"InfoReceiver.doXhr","colno":11}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"}]},"context":""}}
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get search (<anonymous>:1:248279)
    +at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
    +at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
    +at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
    +at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
    +at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)
    +at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)
    +at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.XMhUr (<anonymous>:1:544502)
    +at _0x13dcf0 (<anonymous>:1:558761)
    +at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
    +at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
    +at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
    +at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
    +at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
    +at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
    +at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
  • + +
+
+
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.href and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.href and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    +
    https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'"/bih4qyzpvt/><bih4qyzpvt/\>sbxdhx44wf&#bih4qyzpvt=bih4qyzpvt%27%22`'"/bih4qyzpvt/><bih4qyzpvt/\>sbxdhx44wf&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Request failed with status code 500","name":"Error","constructor_name":"Error","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&#bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&","query_string":"?esux3absmq=esux3absmq%27%22`'\"/esux3absmq/><esux3absmq/\\>z0k5afa1h6&","user_ip":"$remote_ip"},"client":{"runtime_ms":497,"timestamp":1730843998,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"Error","message":"Request failed with status code 500","description":"Request failed with status code 500"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":50688,"method":"XMLHttpRequest.onloadend","colno":7},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51664,"method":"settle","colno":12},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51368,"method":"createError","colno":15}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.href"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get href (<anonymous>:1:249544)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.search"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get search (<anonymous>:1:248279)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997220,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997179","status_code":0,"start_time_ms":1730843997180,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997221","status_code":0,"start_time_ms":1730843997221,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"info","type":"network","timestamp_ms":1730843997482,"body":{"method":"POST","url":"https://api.rollbar.com:443/api/1/item/","status_code":200,"start_time_ms":1730843997213,"end_time_ms":1730843997482,"request_content_type":"application/json","subtype":"xhr","response_content_type":"application/json; charset=utf-8"},"source":"client"},{"level":"error","type":"error","timestamp_ms":1730843997563,"body":{"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"},"source":"client","uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9"}]},"context":""}}
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get href (<anonymous>:1:249544)
    +at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
    +at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
    +at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
    +at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
    +at m.handleUnhandledRejection (https://instance.example.com/fe/js/cv-script.js:201791:19920)
    +at n (https://instance.example.com/fe/js/cv-script.js:201791:36330)
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.XMhUr (<anonymous>:1:544502)
    +at _0x13dcf0 (<anonymous>:1:558761)
    +at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
    +at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
    +at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
    +at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
    +at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
    +at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
    +at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
  • + +
+
+
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.search and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    +
    ?esux3absmq=esux3absmq%27%22`'"/esux3absmq/><esux3absmq/\>z0k5afa1h6&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Request failed with status code 500","name":"Error","constructor_name":"Error","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&#bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&","query_string":"?esux3absmq=esux3absmq%27%22`'\"/esux3absmq/><esux3absmq/\\>z0k5afa1h6&","user_ip":"$remote_ip"},"client":{"runtime_ms":497,"timestamp":1730843998,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"Error","message":"Request failed with status code 500","description":"Request failed with status code 500"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":50688,"method":"XMLHttpRequest.onloadend","colno":7},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51664,"method":"settle","colno":12},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51368,"method":"createError","colno":15}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.href"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get href (<anonymous>:1:249544)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.search"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get search (<anonymous>:1:248279)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997220,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997179","status_code":0,"start_time_ms":1730843997180,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997221","status_code":0,"start_time_ms":1730843997221,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"info","type":"network","timestamp_ms":1730843997482,"body":{"method":"POST","url":"https://api.rollbar.com:443/api/1/item/","status_code":200,"start_time_ms":1730843997213,"end_time_ms":1730843997482,"request_content_type":"application/json","subtype":"xhr","response_content_type":"application/json; charset=utf-8"},"source":"client"},{"level":"error","type":"error","timestamp_ms":1730843997563,"body":{"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"},"source":"client","uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9"}]},"context":""}}
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get search (<anonymous>:1:248279)
    +at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
    +at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
    +at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
    +at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
    +at m.handleUnhandledRejection (https://instance.example.com/fe/js/cv-script.js:201791:19920)
    +at n (https://instance.example.com/fe/js/cv-script.js:201791:36330)
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.XMhUr (<anonymous>:1:544502)
    +at _0x13dcf0 (<anonymous>:1:558761)
    +at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
    +at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
    +at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
    +at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
    +at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
    +at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
    +at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
  • + +
+
+
+
+
+ +
+
+
+ +

TLS certificate

+ / + +

Issue detail:

+
+ The server presented a valid, trusted TLS certificate. This issue is purely + informational.

The server presented the following certificates:

+

Server certificate

+ + + + + + + + + + + + + + + + + +
Issued to:  *.sandbox.example.com
Issued by:  Amazon RSA 2048 M02
Valid from:  Wed Feb 28 00:00:00 UTC 2024
Valid to:  Sat Mar 29 23:59:59 UTC 2025
+

Certificate chain #1

+ + + + + + + + + + + + + + + + + +
Issued to:  Amazon RSA 2048 M02
Issued by:  Amazon Root CA 1
Valid from:  Tue Aug 23 22:25:30 UTC 2022
Valid to:  Fri Aug 23 22:25:30 UTC 2030
+

Certificate chain #2

+ + + + + + + + + + + + + + + + + +
Issued to:  Amazon Root CA 1
Issued by:  Starfield Services Root Certificate Authority - G2
Valid from:  Mon May 25 12:00:00 UTC 2015
Valid to:  Thu Dec 31 01:00:00 UTC 2037
+

Certificate chain #3

+ + + + + + + + + + + + + + + + + +
Issued to:  Starfield Services Root Certificate Authority - G2
Issued by:  Starfield Class 2 Certification Authority
Valid from:  Wed Sep 02 00:00:00 UTC 2009
Valid to:  Wed Jun 28 17:39:16 UTC 2034
+

Certificate chain #4

+ + + + + + + + + + + + + + + + + +
Issued to:  Starfield Class 2 Certification Authority
Issued by:  Starfield Class 2 Certification Authority
Valid from:  Tue Jun 29 17:39:16 UTC 2004
Valid to:  Thu Jun 29 17:39:16 UTC 2034
+
+ +

+ Issue background: +

+
+

TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between + the browser and server, and to provide authentication of the server's identity. To serve this + purpose, the server must present an TLS certificate that is valid for the server's hostname, is + issued by a trusted authority and is valid for the current date. If any one of these + requirements is not met, TLS connections to the server will not provide the full protection for + which TLS is designed.

+

It should be noted that various attacks exist against TLS in general, and in the context of HTTPS + web connections in particular. It may be possible for a determined and suitably-positioned + attacker to compromise TLS connections without user detection even when a valid TLS certificate + is used.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+
+ +
+
+
+ +

Content security policy: allows untrusted script execution

+ /fe/m3/m-login + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ + +
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/action-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 107 + + {"name":"ForgotPasswordButtonClicked","category":"mConsolefe","data":{"deviceType":"Desktop"}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:26 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/event-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730843990,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:50 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/translations + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/translations/locales + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Content security policy: allows untrusted style execution

+ /fe/m3/m-login + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/action-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 107 + + {"name":"ForgotPasswordButtonClicked","category":"mConsolefe","data":{"deviceType":"Desktop"}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:26 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/event-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730843990,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:50 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/translations + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/translations/locales + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Content security policy: allows form hijacking

+ /fe/m3/m-login + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/action-log + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 107 + + {"name":"ForgotPasswordButtonClicked","category":"mConsolefe","data":{"deviceType":"Desktop"}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:26 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/event-log + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 301 + + {"name":"mLoginAttempted","category":"mConsoleEvents","timestamp":1730843986,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previousURL" +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/translations + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/translations/locales + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/action-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.705270236.1730844023; _ga_0CGDK6Q0X4=GS1.1.1730844022.1.0.1730844028.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 118 + + {"name":"mLoginAttempt","category":"mConsolefe","data":{"deviceType":"Desktop","mName":""}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:29 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/event-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.567957676.1730844025; _ga_0CGDK6Q0X4=GS1.1.1730844024.1.0.1730844029.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730844029,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:30 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.766182157.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.0.1730844022.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:23 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.496830287.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.1.1730844022.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:23 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/translations + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2145941182.1730844052; _ga_0CGDK6Q0X4=GS1.1.1730844051.1.1.1730844054.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://instance.example.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:04:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/translations/locales + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://instance.example.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:09:09 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/action-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://aazpkgamubbk.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.705270236.1730844023; _ga_0CGDK6Q0X4=GS1.1.1730844022.1.0.1730844028.0.0.0 + Origin: https://aazpkgamubbk.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 118 + + {"name":"mLoginAttempt","category":"mConsolefe","data":{"deviceType":"Desktop","mName":""}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:15 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/event-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://nyc.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.567957676.1730844025; _ga_0CGDK6Q0X4=GS1.1.1730844024.1.0.1730844029.0.0.0 + Origin: https://nyc.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730844029,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:55 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://zwa.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.766182157.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.0.1730844022.0.0.0 + Origin: https://zwa.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:00 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://wsparhyjqvka.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.496830287.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.1.1730844022.0.0.0 + Origin: https://wsparhyjqvka.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:21 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/translations + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://tjelewarvblp.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2145941182.1730844052; _ga_0CGDK6Q0X4=GS1.1.1730844051.1.1.1730844054.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://tjelewarvblp.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:04:37 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/translations/locales + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://pduoenagjukk.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://pduoenagjukk.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:09:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Robots.txt file

+ /robots.txt + +

Issue detail:

+
+ The web server contains a robots.txt file. +
+ +

+ Issue background: +

+
+

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, + about locations within the web site that robots are allowed, or not allowed, to crawl and index. +

+

The presence of the robots.txt does not in itself present any kind of security vulnerability. + However, it is often used to identify restricted or private areas of a site's contents. The + information in the file may therefore help an attacker to map out the site's contents, + especially if some of the locations identified are not linked from elsewhere in the site. If the + application relies on robots.txt to protect access to these areas, and does not enforce proper + access control over them, then this presents a serious vulnerability.

+
+ +

+ Issue remediation: +

+
+

The robots.txt file is not itself a security threat, and its correct use can represent good + practice for non-security reasons. You should not assume that all web robots will honor the + file's instructions. Rather, assume that attackers will pay close attention to any locations + identified in the file. Do not rely on robots.txt to provide any kind of protection over + unauthorized access.

+
+ +

Vulnerability classifications

+ + +
+

Request:

+
GET /robots.txt HTTP/1.1 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + +
+
+
+

Response:

+
HTTP/1.1 200 OK + Date: Tue, 05 Nov 2024 21:59:51 GMT + Content-Type: text/plain + Content-Length: 195 + Connection: close + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Last-Modified: Tue, 15 Oct 2024 15:56:17 GMT + ETag: "c3-62485fe5f1553-gzip" + Accept-Ranges: bytes + Vary: Accept-Encoding + + User-agent: * + Disallow: /app + Disallow: /apidocs/example-app-install.pdf + Disallow: /dashboard/ + Disallow: /m2/ + Disallow: /m/ + Disallow: /js/ + Disallow: /modules/api/fetch-dictionary.php +
+
+
+
+ +
+
+
+ +

Cacheable HTTPS response

+ /fe/m3/m-login + +

+ Issue description: +

+
+

Unless directed otherwise, browsers may store a local cached copy of content received from web + servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If + sensitive information in application responses is stored in the local cache, then this may be + retrieved by other users who have access to the same computer at a future time.

+
+ +

+ Issue remediation: +

+
+

Applications should return caching directives instructing browsers not to store local copies of + any sensitive data. Often, this can be achieved by configuring the web server to prevent caching + for relevant paths within the web root. Alternatively, most web development platforms allow you + to control the server's caching directives from within individual scripts. Ideally, the web + server should return the following HTTP headers in all responses containing sensitive content: +

+
    +
  • Cache-control: no-store
  • +
  • Pragma: no-cache
  • +
+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.pathname and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.pathname and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    ///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get pathname (<anonymous>:1:249642)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:13)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +
  • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.search and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    ?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get search (<anonymous>:1:248279)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:23)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +
  • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.hash and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.hash and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    #hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get hash (<anonymous>:1:249429)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:31)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +
  • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.pathname and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.pathname and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    ///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get pathname (<anonymous>:1:249642)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:13)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
    +at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
    +at https://instance.example.com/fe/js/cv-script.js:220724:27
    +
  • + +
  • +

    This was triggered by a loadend event.

    +
  • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.search and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    ?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get search (<anonymous>:1:248279)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:23)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
    +at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
    +at https://instance.example.com/fe/js/cv-script.js:220724:27
    +
  • + +
  • +

    This was triggered by a loadend event.

    +
  • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.hash and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.hash and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    #hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get hash (<anonymous>:1:249429)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:31)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
    +at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
    +at https://instance.example.com/fe/js/cv-script.js:220724:27
    +
  • + +
  • +

    This was triggered by a loadend event.

    +
  • + +
+
+
+
+
+ +
+
+ +
+

More details for http://instance.example.com

+
+ +
+
+ +

Input returned in response (reflected)

+ /fe/m3/m-login + +

Issue detail:

+
+ The value of the URL path folder 1 is copied into the application's response. +
+ +

+ Issue background: +

+
+

Reflection of input arises when data is copied from a request and echoed into the application's + immediate response.

+

Input being returned in application responses is not a vulnerability in its own right. However, + it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open + redirection, content spoofing, and response header injection. Additionally, some server-side + vulnerabilities such as SQL injection are often easier to identify and exploit when input is + returned in responses. In applications where input retrieval is rare and the environment is + resistant to automated testing (for example, due to a web application firewall), it might be + worth subjecting instances of it to focused manual testing.

+
+ +

Vulnerability classifications

+ + +
+

Request:

+
GET /fes56j3607g3/m3/m-login HTTP/1.1 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/1.1 301 Moved Permanently + Server: awselb/2.0 + Date: Tue, 05 Nov 2024 22:04:46 GMT + Content-Type: text/html + Content-Length: 134 + Connection: close + Location: https://instance.example.com:443/fes56j3607g3/m3/m-login + + <html> + <head><title>301 Moved Permanently</title></head> + <body> + <center><h1>301 Moved Permanently</h1></center> + </body> + </html> +
+
+
+
+ +

Input returned in response (reflected)

+ /fe/m3/m-login + +

Issue detail:

+
+ The value of the URL path folder 2 is copied into the application's response. +
+ +

+ Issue background: +

+
+

Reflection of input arises when data is copied from a request and echoed into the application's + immediate response.

+

Input being returned in application responses is not a vulnerability in its own right. However, + it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open + redirection, content spoofing, and response header injection. Additionally, some server-side + vulnerabilities such as SQL injection are often easier to identify and exploit when input is + returned in responses. In applications where input retrieval is rare and the environment is + resistant to automated testing (for example, due to a web application firewall), it might be + worth subjecting instances of it to focused manual testing.

+
+ +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3mx6wpfgqge/m-login HTTP/1.1 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/1.1 301 Moved Permanently + Server: awselb/2.0 + Date: Tue, 05 Nov 2024 22:05:07 GMT + Content-Type: text/html + Content-Length: 134 + Connection: close + Location: https://instance.example.com:443/fe/m3mx6wpfgqge/m-login + + <html> + <head><title>301 Moved Permanently</title></head> + <body> + <center><h1>301 Moved Permanently</h1></center> + </body> + </html> +
+
+
+
+ +
+ +
+ + + \ No newline at end of file diff --git a/unittests/scans/generic/test_with_image_no_ext.json b/unittests/scans/generic/test_with_image_no_ext.json new file mode 100644 index 00000000000..50051651e75 --- /dev/null +++ b/unittests/scans/generic/test_with_image_no_ext.json @@ -0,0 +1,16 @@ +{ + "title": "My wonderful report", + "findings": [ + { + "title": "Vuln with image and no extension", + "description": "Some very long description", + "severity": "Medium", + "files": [ + { + "title": "testcat", + "data": "" + } + ] + } + ] +} \ No newline at end of file diff --git a/unittests/scans/ms_defender/issue_11217.zip b/unittests/scans/ms_defender/issue_11217.zip new file mode 100644 index 00000000000..862542647b1 Binary files /dev/null and b/unittests/scans/ms_defender/issue_11217.zip differ diff --git a/unittests/tools/test_acunetix_parser.py b/unittests/tools/test_acunetix_parser.py index 47969cdeeab..fe0deb95e63 100644 --- a/unittests/tools/test_acunetix_parser.py +++ b/unittests/tools/test_acunetix_parser.py @@ -335,3 +335,12 @@ def test_parse_file_issue_10435(self): parser = AcunetixParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(1, len(findings)) + + def test_parse_file_issue_11206(self): + with open("unittests/scans/acunetix/issue_11206.json", encoding="utf-8") as testfile: + parser = AcunetixParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + with self.subTest(i=0): + finding = findings[0] + self.assertEqual(finding.date, date(2021, 6, 12, 12, 30)) diff --git a/unittests/tools/test_burp_enterprise_parser.py b/unittests/tools/test_burp_enterprise_parser.py index a9f2b8d3350..9241bf4cd81 100644 --- a/unittests/tools/test_burp_enterprise_parser.py +++ b/unittests/tools/test_burp_enterprise_parser.py @@ -23,13 +23,9 @@ def test_burp_enterprise_with_multiple_vulns(self): self.assertTrue(finding.dynamic_finding) self.assertEqual(942, finding.cwe) self.assertEqual("Cross-origin resource sharing: arbitrary origin trusted", finding.title) - description = """**Issue detail:** -The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.The application allowed access from the requested origin https://llqvfwgbsdau.com - -""" - self.assertEqual(description, finding.description) + self.assertIn("**Issue detail**:\nThe application implements an HTML5 cross-origin resource sharing (CORS) policy", finding.description) self.assertIn("An HTML5 cross-origin resource sharing (CORS) policy controls", finding.impact) - self.assertIn("(Web Security Academy: Cross-origin resource sharing (CORS))[https://portswigger.net/web-security/cors]", finding.references) + self.assertIn("[Web Security Academy: Cross-origin resource sharing (CORS)](https://portswigger.net/web-security/cors)", finding.references) self.assertEqual(1, len(finding.unsaved_endpoints)) self.assertEqual("example.com", finding.unsaved_endpoints[0].host) @@ -39,4 +35,33 @@ def test_burp_enterprise_with_multiple_vulns(self): self.assertTrue(finding.dynamic_finding) self.assertIsNone(finding.cwe) self.assertEqual("WAF Detected: redacted", finding.title) - self.assertIn("WAF tech. details : Cloud-based CDN, WAF & DDoS prevention", finding.description) + self.assertIn("**Issue detail**:\nFingerprint Details:\n\nWAF Type : redacted\nWAF tech. details : Cloud-based CDN, WAF & DDoS prevention", finding.description) + + def test_burp_enterprise_with_multiple_vulns_newer_format(self): + with open(path.join(path.dirname(__file__), "../scans/burp_enterprise/many_vulns_updated_format.html"), encoding="utf-8") as test_file: + parser = BurpEnterpriseParser() + findings = parser.get_findings(test_file, Test()) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + self.assertEqual(12, len(findings)) + + with self.subTest(i=0): + finding = findings[0] + self.assertEqual("Low", finding.severity) + self.assertTrue(finding.dynamic_finding) + self.assertEqual(523, finding.cwe) + self.assertEqual("Strict transport security not enforced", finding.title) + self.assertIn("**Issue description**:\nThe application fails to prevent users from connecting to it over unencrypted connections.", finding.description) + self.assertIn("**Issue remediation**:\nThe application should instruct web browsers to only access the application using HTTPS.", finding.impact) + self.assertIn("- [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security)", finding.references) + self.assertEqual(7, len(finding.unsaved_endpoints)) + self.assertEqual("instance.example.com", finding.unsaved_endpoints[0].host) + + with self.subTest(i=5): + finding = findings[5] + self.assertEqual("Info", finding.severity) + self.assertTrue(finding.dynamic_finding) + self.assertEqual(116, finding.cwe) + self.assertEqual("Content security policy: allows form hijacking", finding.title) + self.assertIn("**Issue detail**:\nThe content security policy doesn't prevent form hijacking", finding.description) diff --git a/unittests/tools/test_ms_defender_parser.py b/unittests/tools/test_ms_defender_parser.py index a83049bf2e6..586bc401c58 100644 --- a/unittests/tools/test_ms_defender_parser.py +++ b/unittests/tools/test_ms_defender_parser.py @@ -68,3 +68,15 @@ def test_parser_defender_multiple_files_zip(self): for endpoint in finding.unsaved_endpoints: endpoint.clean() self.assertEqual("1.1.1.1", finding.unsaved_endpoints[0].host) + + def test_parser_defender_issue_11217(self): + testfile = open("unittests/scans/ms_defender/issue_11217.zip", encoding="utf-8") + parser = MSDefenderParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(1, len(findings)) + finding = findings[0] + self.assertEqual("Medium", finding.severity) + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + self.assertEqual("Max_Mustermann_iPadAir_17zoll__2ndgeneration_", finding.unsaved_endpoints[0].host) diff --git a/unittests/tools/test_semgrep_parser.py b/unittests/tools/test_semgrep_parser.py index 8729e4cc006..5517077e975 100644 --- a/unittests/tools/test_semgrep_parser.py +++ b/unittests/tools/test_semgrep_parser.py @@ -39,7 +39,7 @@ def test_parse_many_finding(self): self.assertEqual('javax crypto Cipher.getInstance("AES/GCM/NoPadding");', finding.mitigation) self.assertEqual("java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle", finding.vuln_id_from_tool) finding = findings[2] - self.assertEqual("Info", finding.severity) + self.assertEqual("Low", finding.severity) self.assertEqual("src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01150.java", finding.file_path) self.assertEqual(66, finding.line) self.assertEqual(696, finding.cwe) @@ -96,7 +96,7 @@ def test_parse_cwe_list(self): findings = parser.get_findings(testfile, Test()) self.assertEqual(1, len(findings)) finding = findings[0] - self.assertEqual("Info", finding.severity) + self.assertEqual("Low", finding.severity) self.assertEqual("index.js", finding.file_path) self.assertEqual(12, finding.line) self.assertEqual(352, finding.cwe) diff --git a/unittests/tools/test_wpscan_parser.py b/unittests/tools/test_wpscan_parser.py index bd71aae2946..0b44ee49654 100644 --- a/unittests/tools/test_wpscan_parser.py +++ b/unittests/tools/test_wpscan_parser.py @@ -26,7 +26,7 @@ def test_parse_file_exemple(self): self.assertIsNone(finding.unique_id_from_tool) # interesting findings are not vlunerability self.assertEqual("Info", finding.severity) # it is not a vulnerability so severity should be 'Info' self.assertEqual("Interesting finding: Headers", finding.title) - self.assertEqual(datetime.datetime(2021, 3, 26, 11, 50, 50), finding.date) + self.assertEqual(datetime.datetime(2021, 3, 26, 11, 50, 50, tzinfo=datetime.UTC), finding.date) def test_parse_file_with_no_vuln_has_no_findings(self): with open("unittests/scans/wpscan/wordpress_no_vuln.json", encoding="utf-8") as testfile: @@ -49,7 +49,7 @@ def test_parse_file_with_one_vuln_has_one_findings(self): self.assertEqual("8873", finding.unique_id_from_tool) self.assertNotEqual("Info", finding.severity) # it is a vulnerability so not 'Info' self.assertEqual("YouTube Embed <= 11.8.1 - Cross-Site Request Forgery (CSRF)", finding.title) - self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16), finding.date) + self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16, tzinfo=datetime.UTC), finding.date) def test_parse_file_with_multiple_vuln_has_multiple_finding(self): with open("unittests/scans/wpscan/wordpress_many_vuln.json", encoding="utf-8") as testfile: @@ -63,7 +63,7 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self): self.assertEqual("8873", finding.unique_id_from_tool) self.assertNotEqual("Info", finding.severity) # it is a vulnerability so not 'Info' self.assertEqual("YouTube Embed <= 11.8.1 - Cross-Site Request Forgery (CSRF)", finding.title) - self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16), finding.date) + self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16, tzinfo=datetime.UTC), finding.date) def test_parse_file_with_multiple_vuln(self): with open("unittests/scans/wpscan/wpscan.json", encoding="utf-8") as testfile: @@ -81,7 +81,7 @@ def test_parse_file_with_multiple_vuln(self): self.assertEqual("Contact Form 7 < 5.3.2 - Unrestricted File Upload", finding.title) self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) self.assertEqual("CVE-2020-35489", finding.unsaved_vulnerability_ids[0]) - self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6), finding.date) + self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6, tzinfo=datetime.UTC), finding.date) self.assertEqual("", finding.get_scanner_confidence_text()) # data are => 100% with self.subTest(i=4): @@ -89,7 +89,7 @@ def test_parse_file_with_multiple_vuln(self): self.assertIsNone(finding.unique_id_from_tool) # interesting findings are not vlunerability self.assertEqual("Info", finding.severity) # it is not a vulnerability so severity should be 'Info' self.assertEqual("Interesting finding: WordPress readme found: http://example/readme.html", finding.title) - self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6), finding.date) + self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6, tzinfo=datetime.UTC), finding.date) self.assertEqual("", finding.get_scanner_confidence_text()) # data are => "confidence": 100, def test_parse_file_with_multiple_vuln_in_version(self):