From c22e0735a067f07dbd3c651dbc0a1486e02e0604 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 4 Nov 2024 18:06:31 +0000 Subject: [PATCH 01/19] Update versions in application files --- components/package.json | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/components/package.json b/components/package.json index 14dc5baf9d..82cd7446c6 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.40.0", + "version": "2.41.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 3744d4461a..b61326d1b8 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.40.0" +appVersion: "2.41.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.158 +version: 1.6.159-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From e7f57ae250a43fb8d4f9134866f39c63f6769c42 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 16:05:12 -0600 Subject: [PATCH 02/19] Bump boto3 from 1.35.54 to 1.35.55 (#11214) Bumps [boto3](https://github.com/boto/boto3) from 1.35.54 to 1.35.55. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.54...1.35.55) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 44de6f7f14..41365f3297 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.54 # Required for Celery Broker AWS (SQS) support +boto3==1.35.55 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.3 fontawesomefree==6.6.0 From aa57ac6811723078adcdbd4b145e0b7e02afb7f6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Nov 2024 11:24:58 -0600 Subject: [PATCH 03/19] Bump boto3 from 1.35.55 to 1.35.56 (#11223) Bumps [boto3](https://github.com/boto/boto3) from 1.35.55 to 1.35.56. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.55...1.35.56) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 41365f3297..8a7d6ac28d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.55 # Required for Celery Broker AWS (SQS) support +boto3==1.35.56 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.3 fontawesomefree==6.6.0 From 5f6098852878dbc31bbcf881a122df290e6f9445 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Mon, 11 Nov 2024 16:55:26 +0100 Subject: [PATCH 04/19] :bug: fix Acunetix date #11206 (#11207) * :bug: fix Acunetix date #11206 * fix * ruff * add unittest --- dojo/tools/acunetix/parse_acunetix360_json.py | 4 +- dojo/tools/acunetix/parse_acunetix_xml.py | 2 +- unittests/scans/acunetix/issue_11206.json | 57 +++++++++++++++++++ unittests/tools/test_acunetix_parser.py | 9 +++ 4 files changed, 69 insertions(+), 3 deletions(-) create mode 100644 unittests/scans/acunetix/issue_11206.json diff --git a/dojo/tools/acunetix/parse_acunetix360_json.py b/dojo/tools/acunetix/parse_acunetix360_json.py index 082bf889a6..9d688ebc9a 100644 --- a/dojo/tools/acunetix/parse_acunetix360_json.py +++ b/dojo/tools/acunetix/parse_acunetix360_json.py @@ -15,7 +15,7 @@ def get_findings(self, filename, test): dupes = {} data = json.load(filename) dupes = {} - scan_date = parser.parse(data["Generated"]) + scan_date = parser.parse(data["Generated"], dayfirst=True) text_maker = html2text.HTML2Text() text_maker.body_width = 0 for item in data["Vulnerabilities"]: @@ -96,7 +96,7 @@ def get_findings(self, filename, test): finding.unsaved_req_resp = [{"req": request, "resp": response}] finding.unsaved_endpoints = [Endpoint.from_uri(url)] if item.get("FirstSeenDate"): - parseddate = parser.parse(item["FirstSeenDate"]) + parseddate = parser.parse(item["FirstSeenDate"], dayfirst=True) finding.date = parseddate if dupe_key in dupes: find = dupes[dupe_key] diff --git a/dojo/tools/acunetix/parse_acunetix_xml.py b/dojo/tools/acunetix/parse_acunetix_xml.py index eb1e64d16a..c744903b2e 100644 --- a/dojo/tools/acunetix/parse_acunetix_xml.py +++ b/dojo/tools/acunetix/parse_acunetix_xml.py @@ -26,7 +26,7 @@ def get_findings(self, filename, test): # get report date if scan.findtext("StartTime") and "" != scan.findtext("StartTime"): report_date = dateutil.parser.parse( - scan.findtext("StartTime"), + scan.findtext("StartTime"), dayfirst=True, ).date() for item in scan.findall("ReportItems/ReportItem"): finding = Finding( diff --git a/unittests/scans/acunetix/issue_11206.json b/unittests/scans/acunetix/issue_11206.json new file mode 100644 index 0000000000..829c2083ae --- /dev/null +++ b/unittests/scans/acunetix/issue_11206.json @@ -0,0 +1,57 @@ +{ + "Generated": "25/06/2021 09:59 AM", + "Target": { + "Duration": "00:00:41.3968969", + "Initiated": "25/06/2021 09:53 AM", + "ScanId": "663eb6e88d9e4f4d9e00ad52017aa66d", + "Url": "http://php.testsparker.com/" + }, + "Vulnerabilities": [ + { + "Certainty": 100, + "Classification": null, + "Confirmed": true, + "Description": "

Acunetix360 identified a cookie not marked as HTTPOnly.

\n

HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.

", + "ExploitationSkills": "", + "ExternalReferences": "
", + "ExtraInformation": [ + { + "Name": "Identified Cookie(s)", + "Value": "PHPSESSID" + }, + { + "Name": "Cookie Source", + "Value": "HTTP Header" + }, + { + "Name": "Page Type", + "Value": "Login" + } + ], + "FirstSeenDate": "12/06/2021 12:30 PM", + "HttpRequest": { + "Content": "GET /auth/login.php HTTP/1.1\r\nHost: php.testsparker.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nCache-Control: no-cache\r\nReferer: http://php.testsparker.com/auth/\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36\r\nX-Scanner: Acunetix360\r\n\r\n", + "Method": "GET", + "Parameters": [] + }, + "HttpResponse": { + "Content": "HTTP/1.1 200 OK\r\nSet-Cookie: PHPSESSID=e52a07f0fe53c0294ae211bc4481332d; path=/\r\nServer: Apache/2.2.8 (Win32) PHP/5.2.6\r\nContent-Length: 3061\r\nX-Powered-By: PHP/5.2.6\r\nPragma: no-cache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\n\n\n", + "Duration": 41.4849, + "StatusCode": 200 + }, + "LookupId": "735f4503-e9eb-4b4c-4306-ad49020a4c4b", + "Impact": "
During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.
", + "KnownVulnerabilities": [], + "LastSeenDate": "25/06/2021 01:52 AM", + "Name": "Cookie Not Marked as HttpOnly", + "ProofOfConcept": "", + "RemedialActions": "
\n
    \n
  1. See the remedy for solution.
  2. \n
  3. Consider marking all of the cookies used by the application as HTTPOnly. (After these changes javascript code will not be able to read cookies.)
  4. \n
\n
", + "RemedialProcedure": "
Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.
", + "RemedyReferences": "", + "Severity": "Medium", + "State": "Present", + "Type": "CookieNotMarkedAsHttpOnly", + "Url": "http://php.testsparker.com/auth/login.php" + } + ] +} \ No newline at end of file diff --git a/unittests/tools/test_acunetix_parser.py b/unittests/tools/test_acunetix_parser.py index 47969cdeea..fe0deb95e6 100644 --- a/unittests/tools/test_acunetix_parser.py +++ b/unittests/tools/test_acunetix_parser.py @@ -335,3 +335,12 @@ def test_parse_file_issue_10435(self): parser = AcunetixParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(1, len(findings)) + + def test_parse_file_issue_11206(self): + with open("unittests/scans/acunetix/issue_11206.json", encoding="utf-8") as testfile: + parser = AcunetixParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + with self.subTest(i=0): + finding = findings[0] + self.assertEqual(finding.date, date(2021, 6, 12, 12, 30)) From bb883109b51e3c62dc8eb49e193cf99c7b0cbeb9 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Mon, 11 Nov 2024 16:56:27 +0100 Subject: [PATCH 05/19] add TEMP to vulnid (#11180) * add TEMP to vulnid * ruff * sha sum * sha sum --- dojo/settings/.settings.dist.py.sha256sum | 2 +- dojo/settings/settings.dist.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum index 259f13a4c6..593f8b129d 100644 --- a/dojo/settings/.settings.dist.py.sha256sum +++ b/dojo/settings/.settings.dist.py.sha256sum @@ -1 +1 @@ -6b9365d002880ae64ab54da905ede076db5a8661960f8f1e2793b7f4d25ff7e8 +60628ca4667641350d3d1854d1a6f863ce2ddeefa4f6e5df83f7e11a700cde0e diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 9920533272..2c9ff2c7b9 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1744,6 +1744,7 @@ def saml2_attrib_map_format(dict): "ELSA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html "ELBA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html "RXSA": "https://errata.rockylinux.org/", # e.g. https://errata.rockylinux.org/RXSA-2024:4928 + "TEMP": "https://security-tracker.debian.org/tracker/", # e.g. https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF } # List of acceptable file types that can be uploaded to a given object via arbitrary file upload FILE_UPLOAD_TYPES = env("DD_FILE_UPLOAD_TYPES") From 7e636fab772942eadb5e1b6a2dd113c1356566e2 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Mon, 11 Nov 2024 16:58:22 +0100 Subject: [PATCH 06/19] datetime.utcfromtimestamp() is scheduled for removal (#11208) * datetime.datetime.utcfromtimestamp() is deprecated and scheduled for removal * ruff --- dojo/tools/checkmarx/parser.py | 2 +- dojo/tools/checkmarx_one/parser.py | 2 +- dojo/tools/contrast/parser.py | 4 +--- dojo/tools/wpscan/parser.py | 4 ++-- unittests/tools/test_wpscan_parser.py | 10 +++++----- 5 files changed, 10 insertions(+), 12 deletions(-) diff --git a/dojo/tools/checkmarx/parser.py b/dojo/tools/checkmarx/parser.py index 0d5607f509..6e832723f9 100644 --- a/dojo/tools/checkmarx/parser.py +++ b/dojo/tools/checkmarx/parser.py @@ -368,7 +368,7 @@ def _parse_date(self, value): if isinstance(value, str): return parser.parse(value).date() if isinstance(value, dict) and isinstance(value.get("seconds"), int): - return datetime.datetime.utcfromtimestamp(value.get("seconds")).date() + return datetime.datetime.fromtimestamp(value.get("seconds"), datetime.UTC).date() return None def _get_findings_json(self, file, test): diff --git a/dojo/tools/checkmarx_one/parser.py b/dojo/tools/checkmarx_one/parser.py index f8896c0b27..7a85cd521d 100644 --- a/dojo/tools/checkmarx_one/parser.py +++ b/dojo/tools/checkmarx_one/parser.py @@ -22,7 +22,7 @@ def _parse_date(self, value): if isinstance(value, str): return parser.parse(value) if isinstance(value, dict) and isinstance(value.get("seconds"), int): - return datetime.datetime.utcfromtimestamp(value.get("seconds")) + return datetime.datetime.fromtimestamp(value.get("seconds"), datetime.UTC) return None def _parse_cwe(self, cwe): diff --git a/dojo/tools/contrast/parser.py b/dojo/tools/contrast/parser.py index 9367bdcf6d..e72345d33d 100644 --- a/dojo/tools/contrast/parser.py +++ b/dojo/tools/contrast/parser.py @@ -41,9 +41,7 @@ def get_findings(self, filename, test): severity = row.get("Severity") if severity == "Note": severity = "Info" - date_raw = datetime.datetime.utcfromtimestamp( - int(row.get("First Seen")) / 1000, - ) + date_raw = datetime.datetime.fromtimestamp(int(row.get("First Seen")) / 1000, datetime.UTC) finding = Finding( title=title.split(" from")[0], date=date_raw, diff --git a/dojo/tools/wpscan/parser.py b/dojo/tools/wpscan/parser.py index 95c0a8c4c2..2ba6b5016b 100644 --- a/dojo/tools/wpscan/parser.py +++ b/dojo/tools/wpscan/parser.py @@ -1,6 +1,6 @@ +import datetime import hashlib import json -from datetime import datetime from dojo.models import Endpoint, Finding @@ -89,7 +89,7 @@ def get_findings(self, file, test): report_date = None if "start_time" in tree: - report_date = datetime.utcfromtimestamp(tree.get("start_time")) + report_date = datetime.datetime.fromtimestamp(tree.get("start_time"), datetime.UTC) dupes = {} # manage plugin findings diff --git a/unittests/tools/test_wpscan_parser.py b/unittests/tools/test_wpscan_parser.py index bd71aae294..0b44ee4965 100644 --- a/unittests/tools/test_wpscan_parser.py +++ b/unittests/tools/test_wpscan_parser.py @@ -26,7 +26,7 @@ def test_parse_file_exemple(self): self.assertIsNone(finding.unique_id_from_tool) # interesting findings are not vlunerability self.assertEqual("Info", finding.severity) # it is not a vulnerability so severity should be 'Info' self.assertEqual("Interesting finding: Headers", finding.title) - self.assertEqual(datetime.datetime(2021, 3, 26, 11, 50, 50), finding.date) + self.assertEqual(datetime.datetime(2021, 3, 26, 11, 50, 50, tzinfo=datetime.UTC), finding.date) def test_parse_file_with_no_vuln_has_no_findings(self): with open("unittests/scans/wpscan/wordpress_no_vuln.json", encoding="utf-8") as testfile: @@ -49,7 +49,7 @@ def test_parse_file_with_one_vuln_has_one_findings(self): self.assertEqual("8873", finding.unique_id_from_tool) self.assertNotEqual("Info", finding.severity) # it is a vulnerability so not 'Info' self.assertEqual("YouTube Embed <= 11.8.1 - Cross-Site Request Forgery (CSRF)", finding.title) - self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16), finding.date) + self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16, tzinfo=datetime.UTC), finding.date) def test_parse_file_with_multiple_vuln_has_multiple_finding(self): with open("unittests/scans/wpscan/wordpress_many_vuln.json", encoding="utf-8") as testfile: @@ -63,7 +63,7 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self): self.assertEqual("8873", finding.unique_id_from_tool) self.assertNotEqual("Info", finding.severity) # it is a vulnerability so not 'Info' self.assertEqual("YouTube Embed <= 11.8.1 - Cross-Site Request Forgery (CSRF)", finding.title) - self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16), finding.date) + self.assertEqual(datetime.datetime(2019, 7, 2, 19, 11, 16, tzinfo=datetime.UTC), finding.date) def test_parse_file_with_multiple_vuln(self): with open("unittests/scans/wpscan/wpscan.json", encoding="utf-8") as testfile: @@ -81,7 +81,7 @@ def test_parse_file_with_multiple_vuln(self): self.assertEqual("Contact Form 7 < 5.3.2 - Unrestricted File Upload", finding.title) self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) self.assertEqual("CVE-2020-35489", finding.unsaved_vulnerability_ids[0]) - self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6), finding.date) + self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6, tzinfo=datetime.UTC), finding.date) self.assertEqual("", finding.get_scanner_confidence_text()) # data are => 100% with self.subTest(i=4): @@ -89,7 +89,7 @@ def test_parse_file_with_multiple_vuln(self): self.assertIsNone(finding.unique_id_from_tool) # interesting findings are not vlunerability self.assertEqual("Info", finding.severity) # it is not a vulnerability so severity should be 'Info' self.assertEqual("Interesting finding: WordPress readme found: http://example/readme.html", finding.title) - self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6), finding.date) + self.assertEqual(datetime.datetime(2021, 3, 17, 12, 21, 6, tzinfo=datetime.UTC), finding.date) self.assertEqual("", finding.get_scanner_confidence_text()) # data are => "confidence": 100, def test_parse_file_with_multiple_vuln_in_version(self): From f092d81f6624eca7c1f51c50224cc5cc4d9e956e Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Mon, 11 Nov 2024 16:59:04 +0100 Subject: [PATCH 07/19] datetime.utcnow() is scheduled for removal (#11209) * datetime.utcnow() is scheduled for removal * ruff --- dojo/tools/awssecurityhub/compliance.py | 8 ++++---- dojo/tools/awssecurityhub/guardduty.py | 8 ++++---- dojo/tools/awssecurityhub/inspector.py | 8 ++++---- dojo/tools/dependency_check/parser.py | 4 ++-- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/dojo/tools/awssecurityhub/compliance.py b/dojo/tools/awssecurityhub/compliance.py index 5fea1a8a78..1f97da12b7 100644 --- a/dojo/tools/awssecurityhub/compliance.py +++ b/dojo/tools/awssecurityhub/compliance.py @@ -1,4 +1,4 @@ -from datetime import datetime +import datetime from dojo.models import Finding @@ -31,11 +31,11 @@ def get_item(self, finding: dict, test): active = False if finding.get("LastObservedAt", None): try: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") except Exception: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") else: - mitigated = datetime.utcnow() + mitigated = datetime.datetime.now(datetime.UTC) else: mitigated = None is_Mitigated = False diff --git a/dojo/tools/awssecurityhub/guardduty.py b/dojo/tools/awssecurityhub/guardduty.py index 40b2664950..fbc1346697 100644 --- a/dojo/tools/awssecurityhub/guardduty.py +++ b/dojo/tools/awssecurityhub/guardduty.py @@ -1,4 +1,4 @@ -from datetime import datetime +import datetime from dojo.models import Endpoint, Finding @@ -25,11 +25,11 @@ def get_item(self, finding: dict, test): is_Mitigated = True if finding.get("LastObservedAt", None): try: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") except Exception: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") else: - mitigated = datetime.utcnow() + mitigated = datetime.datetime.now(datetime.UTC) description = f"This is a GuardDuty Finding\n{finding.get('Description', '')}" + "\n" description += f"**AWS Finding ARN:** {finding_id}\n" if finding.get("SourceUrl"): diff --git a/dojo/tools/awssecurityhub/inspector.py b/dojo/tools/awssecurityhub/inspector.py index 61b18be5bf..3b0264bf95 100644 --- a/dojo/tools/awssecurityhub/inspector.py +++ b/dojo/tools/awssecurityhub/inspector.py @@ -1,4 +1,4 @@ -from datetime import datetime +import datetime from dojo.models import Endpoint, Finding @@ -48,11 +48,11 @@ def get_item(self, finding: dict, test): active = False if finding.get("LastObservedAt", None): try: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%S.%fZ") except Exception: - mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") + mitigated = datetime.datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ") else: - mitigated = datetime.utcnow() + mitigated = datetime.datetime.now(datetime.UTC) title_suffix = "" hosts = [] for resource in finding.get("Resources", []): diff --git a/dojo/tools/dependency_check/parser.py b/dojo/tools/dependency_check/parser.py index 1d4a167429..8f87042b63 100644 --- a/dojo/tools/dependency_check/parser.py +++ b/dojo/tools/dependency_check/parser.py @@ -1,7 +1,7 @@ +import datetime import hashlib import logging import re -from datetime import datetime import dateutil from cpe import CPE @@ -302,7 +302,7 @@ def get_finding_from_vulnerability( mitigation + f"Update {component_name}:{component_version} to at least the version recommended in the description" ) - mitigated = datetime.utcnow() + mitigated = datetime.datetime.now(datetime.UTC) is_Mitigated = True active = False tags.append("suppressed") From ca96f34937e5eaa30cf88753f62b147d13355838 Mon Sep 17 00:00:00 2001 From: Harold Blankenship <36673698+hblankenship@users.noreply.github.com> Date: Mon, 11 Nov 2024 11:50:46 -0600 Subject: [PATCH 08/19] FileUpload Base64 extension fix (#11203) * initial files but likely to change * improved file extension checks * remove os import * Use file url * not used imports, file url or title --- dojo/api_v2/serializers.py | 17 ++------------ dojo/models.py | 23 +++++++++++++++++++ dojo/tools/generic/json_parser.py | 11 ++++++++- .../scans/generic/test_with_image_no_ext.json | 16 +++++++++++++ 4 files changed, 51 insertions(+), 16 deletions(-) create mode 100644 unittests/scans/generic/test_with_image_no_ext.json diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index 2680e8f1ad..6e100f43b5 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -1,6 +1,5 @@ import json import logging -import os import re from datetime import datetime @@ -803,20 +802,8 @@ class Meta: def validate(self, data): if file := data.get("file"): - ext = os.path.splitext(file.name)[1] # [0] returns path+filename - valid_extensions = settings.FILE_UPLOAD_TYPES - if ext.lower() not in valid_extensions: - if accepted_extensions := f"{', '.join(valid_extensions)}": - msg = ( - "Unsupported extension. Supported extensions are as " - f"follows: {accepted_extensions}" - ) - else: - msg = ( - "File uploads are prohibited due to the list of acceptable " - "file extensions being empty" - ) - raise ValidationError(msg) + # the clean will validate the file extensions and raise a Validation error if the extensions are not accepted + FileUpload(title=file.name, file=file).clean() return data return None diff --git a/dojo/models.py b/dojo/models.py index dba8f45c44..117b8d0ebe 100644 --- a/dojo/models.py +++ b/dojo/models.py @@ -6,6 +6,7 @@ import re import warnings from datetime import datetime +from pathlib import Path from uuid import uuid4 import hyperlink @@ -741,6 +742,28 @@ def get_accessible_url(self, obj, obj_id): return f"access_file/{self.id}/{obj_id}/{obj_type}" + def clean(self): + if not self.title: + self.title = "" + + valid_extensions = settings.FILE_UPLOAD_TYPES + + # why does this not work with self.file.... + if self.file: + file_name = self.file.url + else: + file_name = self.title + if Path(file_name).suffix.lower() not in valid_extensions: + if accepted_extensions := f"{', '.join(valid_extensions)}": + msg = ( + _("Unsupported extension. Supported extensions are as follows: %s") % accepted_extensions + ) + else: + msg = ( + _("File uploads are prohibited due to the list of acceptable file extensions being empty") + ) + raise ValidationError(msg) + class Product_Type(models.Model): diff --git a/dojo/tools/generic/json_parser.py b/dojo/tools/generic/json_parser.py index 296209f3d2..0a09a9deda 100644 --- a/dojo/tools/generic/json_parser.py +++ b/dojo/tools/generic/json_parser.py @@ -1,4 +1,8 @@ -from dojo.models import Endpoint, Finding +import base64 + +from django.core.files.base import ContentFile + +from dojo.models import Endpoint, FileUpload, Finding from dojo.tools.parser_test import ParserTest @@ -103,6 +107,11 @@ def _get_test_json(self, data): endpoint = Endpoint(**endpoint_item) finding.unsaved_endpoints.append(endpoint) if unsaved_files: + for unsaved_file in unsaved_files: + data = base64.b64decode(unsaved_file.get("data")) + title = unsaved_file.get("title", "") + FileUpload(title=title, file=ContentFile(data)).clean() + finding.unsaved_files = unsaved_files if finding.cve: finding.unsaved_vulnerability_ids = [finding.cve] diff --git a/unittests/scans/generic/test_with_image_no_ext.json b/unittests/scans/generic/test_with_image_no_ext.json new file mode 100644 index 0000000000..50051651e7 --- /dev/null +++ b/unittests/scans/generic/test_with_image_no_ext.json @@ -0,0 +1,16 @@ +{ + "title": "My wonderful report", + "findings": [ + { + "title": "Vuln with image and no extension", + "description": "Some very long description", + "severity": "Medium", + "files": [ + { + "title": "testcat", + "data": "" + } + ] + } + ] +} \ No newline at end of file From 359841290a50478edf2e3a284f0fec81a758ba5a Mon Sep 17 00:00:00 2001 From: Harold Blankenship <36673698+hblankenship@users.noreply.github.com> Date: Mon, 11 Nov 2024 11:51:39 -0600 Subject: [PATCH 09/19] add engagement closed MS teams, Email, Alert, and Slack template (#11204) * add engagement closed template * add templates for mail, slack, and alerts --- .../notifications/alert/engagement_closed.tpl | 3 ++ .../notifications/mail/engagement_closed.tpl | 41 +++++++++++++++++ .../msteams/engagement_closed.tpl | 44 +++++++++++++++++++ .../notifications/slack/engagement_closed.tpl | 10 +++++ 4 files changed, 98 insertions(+) create mode 100644 dojo/templates/notifications/alert/engagement_closed.tpl create mode 100644 dojo/templates/notifications/mail/engagement_closed.tpl create mode 100644 dojo/templates/notifications/msteams/engagement_closed.tpl create mode 100644 dojo/templates/notifications/slack/engagement_closed.tpl diff --git a/dojo/templates/notifications/alert/engagement_closed.tpl b/dojo/templates/notifications/alert/engagement_closed.tpl new file mode 100644 index 0000000000..2468c566e3 --- /dev/null +++ b/dojo/templates/notifications/alert/engagement_closed.tpl @@ -0,0 +1,3 @@ +{% load i18n %}{% blocktranslate trimmed with eng_name=engagement.name eng_product=engagement.product %} +The engagement "{{ eng_name }}" has been closed in the product "{{ eng_product }}". +{% endblocktranslate %} \ No newline at end of file diff --git a/dojo/templates/notifications/mail/engagement_closed.tpl b/dojo/templates/notifications/mail/engagement_closed.tpl new file mode 100644 index 0000000000..68eef65486 --- /dev/null +++ b/dojo/templates/notifications/mail/engagement_closed.tpl @@ -0,0 +1,41 @@ +{% load i18n %} +{% load navigation_tags %} +{% load display_tags %} +{% url 'view_product' engagement.product.id as product_url %} +{% url 'view_engagement' engagement.id as engagement_url %} + + + {% autoescape on %} +

+ {% trans "Hello" %}, +

+

+ {% blocktranslate trimmed with engagement_name=engagement.name engagement_product=engagement.product prod_url=product_url|full_url eng_url=engagement_url|full_url%} + The engagement "{{ engagement_name }}" has been closed in the product "{{ engagement_product }}". It can be viewed here: {{product}} / {{ engagement_name }} + {% endblocktranslate %} +

+
+
+ {% trans "Kind regards" %},
+
+ {% if system_settings.team_name %} + {{ system_settings.team_name }} + {% else %} + Defect Dojo + {% endif %} +
+
+

+ {% url 'notifications' as notification_url %} + {% trans "You can manage your notification settings here" %}: {{ notification_url|full_url }} +

+ {% if system_settings.disclaimer and system_settings.disclaimer.strip %} +
+
+ {% trans "Disclaimer" %}
+

{{ system_settings.disclaimer }}

+
+ {% endif %} + {% endautoescape %} + + diff --git a/dojo/templates/notifications/msteams/engagement_closed.tpl b/dojo/templates/notifications/msteams/engagement_closed.tpl new file mode 100644 index 0000000000..3e6bfeed0d --- /dev/null +++ b/dojo/templates/notifications/msteams/engagement_closed.tpl @@ -0,0 +1,44 @@ +{% load i18n %} +{% load display_tags %} +{ + "@context": "https://schema.org/extensions", + "@type": "MessageCard", + "title": "{% trans "Engagement closed" %}", + "summary": "{% trans "Engagement closed" %}", + "sections": [ + { + "activityTitle": "DefectDojo", + "activityImage": "https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/master/dojo/static/dojo/img/chop.png", + "text": "{% trans "An engagement has been closed" %}.", + "facts": [ + { + "name": "{% trans "Product" %}:", + "value": "{{ engagement.product.name }}" + }, + { + "name": "{% trans "Engagement" %}:", + "value": "{{ engagement.name }}" + } + ] + } + {% if system_settings.disclaimer and system_settings.disclaimer.strip %} + ,{ + "activityTitle": "{% trans "Disclaimer" %}", + "text": "{{ system_settings.disclaimer }}" + } + {% endif %} + + ], + "potentialAction": [ + { + "@type": "OpenUri", + "name": "{% trans "View Engagement" %}", + "targets": [ + { + "os": "default", + "uri": "{{ url|full_url }}" + } + ] + } + ] +} \ No newline at end of file diff --git a/dojo/templates/notifications/slack/engagement_closed.tpl b/dojo/templates/notifications/slack/engagement_closed.tpl new file mode 100644 index 0000000000..313c7a1c93 --- /dev/null +++ b/dojo/templates/notifications/slack/engagement_closed.tpl @@ -0,0 +1,10 @@ +{% load i18n %} +{% load display_tags %} +{% blocktranslate trimmed with name=engagement.name eng_product=engagement.product eng_url=url|full_url %} +The engagement "{{ name }}" has been closed in the product "{{ eng_product }}". It can be viewed here: {{ eng_url }} +{% endblocktranslate %} +{% if system_settings.disclaimer and system_settings.disclaimer.strip %} + + {% trans "Disclaimer" %}: + {{ system_settings.disclaimer }} +{% endif %} From e365c49c949f846fb0116d0973fe54b07cb91bd7 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Mon, 11 Nov 2024 19:19:55 +0100 Subject: [PATCH 10/19] =?UTF-8?q?=F0=9F=90=9B=20Fix=20Defender=20broken=20?= =?UTF-8?q?Endpoint=20#11217=20(#11212)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * :bug: fix MSDefender computerDNSName to match modelregex * :bug: fix DefendercomputerDNSName is mostly a userinfo * ruff * fix according to review * add unittest --- dojo/tools/ms_defender/parser.py | 2 +- unittests/scans/ms_defender/issue_11217.zip | Bin 0 -> 1563 bytes unittests/tools/test_ms_defender_parser.py | 12 ++++++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 unittests/scans/ms_defender/issue_11217.zip diff --git a/dojo/tools/ms_defender/parser.py b/dojo/tools/ms_defender/parser.py index ad909168c2..cfa9db5c0c 100644 --- a/dojo/tools/ms_defender/parser.py +++ b/dojo/tools/ms_defender/parser.py @@ -131,7 +131,7 @@ def process_zip(self, vulnerability, machine): self.findings.append(finding) finding.unsaved_endpoints = [] if machine["computerDnsName"] is not None: - finding.unsaved_endpoints.append(Endpoint(host=str(machine["computerDnsName"]))) + finding.unsaved_endpoints.append(Endpoint(host=str(machine["computerDnsName"]).replace(" ", "").replace("(", "_").replace(")", "_"))) if machine["lastIpAddress"] is not None: finding.unsaved_endpoints.append(Endpoint(host=str(machine["lastIpAddress"]))) if machine["lastExternalIpAddress"] is not None: diff --git a/unittests/scans/ms_defender/issue_11217.zip b/unittests/scans/ms_defender/issue_11217.zip new file mode 100644 index 0000000000000000000000000000000000000000..862542647b1e85cb63f03244b8a683424e187ae0 GIT binary patch literal 1563 zcmWIWW@h1H0D)60XNQ9sP=b>|h9NgGIU_SKwOBtigp+}Jc56@S93U>O;AUWCxu}1n zfTg1C5KjQm2oazr4u;Y>>5=c$r~0}uF)*~TGBAiC8v!#*FRM5|4{Tl?hi*CuqnTGb z<$nGx1A*iBe`+tv;a_`YibJ^7uPp|vIx|Z$*3?FXhF<@{w5(6|r@K@8xBcfi8?7ej zE=VYvzx(&SpL2YVZ=U|&Q{X~@9QV4ywSTkE$7ju5`8v;B)4(&N>Dsh1#l?5OYi4P@ zED!FOK4tNz^V=MY64=(hcm8_)v)R}6rh!4nbiy=NY6PrfIeO?G_mZO4MGID2xv?(S z5cg1v>9#t&X#jlI6dGI(Zj413!i5GJaIj+B^B))%=4uR+e9Sek5AKJu=g( zG~0VcNL63NvQO2A6D7Wgcy7BNuXkd>LEh##i3qiWhnBX?GQ7|^A@gMIb?+&@pKZNd zZ*y&)7j$IBlnKX=)x0m2*(_pqQpssa>AEX(!{<9cOUt!B(zx@Dqtpi9OZi-X+Std5T$+Gw3zIh)1ua$Ak;69PwvEL(cQ`QbW_Hg;z zJ-co9KVBdbTcC3Fv75rGxMv$Dl*-+k(D>R%L;0ihvlF)%Rw*gOx5|Fn_K`*5@u~^i zgeT6Ea^xU1RZ|weIDATDzOff1RGs>f!YB(9tO;jTEJO>@UC(;)?wSQf_mrP*Exe|8!>(cXKZ^hfw#5b#?FSzy{kX&b ztJyhbf7GFSRH!DKjUtBomgpHv?1lWqhf-0GPTNS4_?oXJlXy0H$y?EG8AD7UUO|#OEgF zRmOvCDMqCB5@1RPVf54|1eU*a0@6ym!hEtZ`^eme-_hSBsUbaQ;?JqViH%i+Q zvnG&lO}(1r_bEFZcUIN(`(83V%kg@P)|?Icdw8ukTgd(H)qnJ-(eU1L|3zjiQWE&I z`#jmIIHq%aFcx_cW!A8JM!b5p`qYy1>Qlb<&t5gD-ir5n`?6#2vZ{OpQ_A84ycwC~ zm~oX%63{YAfZ?qphzToOfaMe`q?|$vWr%UON-2nOz-VPy(&&tA9L!v3ECS8OQeGiD z6*ILVJM}s+)nKMQpsAp=hsVX3DG%Ajip-d%;!1}=yRf9e0B=?{P%yFpVJ Date: Mon, 11 Nov 2024 19:25:43 +0100 Subject: [PATCH 11/19] :bug: fix semgrep severity logic #11218 (#11219) * :bug: fix semgrep severity logic #11218 * ruff * udpate according to comment * fix unittest --- dojo/tools/semgrep/parser.py | 9 +-------- unittests/tools/test_semgrep_parser.py | 4 ++-- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/dojo/tools/semgrep/parser.py b/dojo/tools/semgrep/parser.py index 883fcc4f31..39f72f8b43 100644 --- a/dojo/tools/semgrep/parser.py +++ b/dojo/tools/semgrep/parser.py @@ -137,15 +137,8 @@ def convert_severity(self, val): return "Medium" if upper_value in ["ERROR", "HIGH"]: return "High" - if upper_value == "LOW": + if upper_value in ["LOW", "INFO"]: return "Low" - if upper_value == "INFO": - if "WARNING" == val.upper(): - return "Medium" - if "ERROR" == val.upper() or "HIGH" == val.upper(): - return "High" - if "INFO" == val.upper(): - return "Info" msg = f"Unknown value for severity: {val}" raise ValueError(msg) diff --git a/unittests/tools/test_semgrep_parser.py b/unittests/tools/test_semgrep_parser.py index 8729e4cc00..5517077e97 100644 --- a/unittests/tools/test_semgrep_parser.py +++ b/unittests/tools/test_semgrep_parser.py @@ -39,7 +39,7 @@ def test_parse_many_finding(self): self.assertEqual('javax crypto Cipher.getInstance("AES/GCM/NoPadding");', finding.mitigation) self.assertEqual("java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle", finding.vuln_id_from_tool) finding = findings[2] - self.assertEqual("Info", finding.severity) + self.assertEqual("Low", finding.severity) self.assertEqual("src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01150.java", finding.file_path) self.assertEqual(66, finding.line) self.assertEqual(696, finding.cwe) @@ -96,7 +96,7 @@ def test_parse_cwe_list(self): findings = parser.get_findings(testfile, Test()) self.assertEqual(1, len(findings)) finding = findings[0] - self.assertEqual("Info", finding.severity) + self.assertEqual("Low", finding.severity) self.assertEqual("index.js", finding.file_path) self.assertEqual(12, finding.line) self.assertEqual(352, finding.cwe) From c5c10522c9793f1f3f5248745bcaee41b7cb6a9a Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 11 Nov 2024 15:50:23 -0600 Subject: [PATCH 12/19] Importers: Force tags to lowercase (#11221) --- dojo/importers/options.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dojo/importers/options.py b/dojo/importers/options.py index f458f2a4f3..d90858e6fd 100644 --- a/dojo/importers/options.py +++ b/dojo/importers/options.py @@ -530,13 +530,15 @@ def validate_tags( *args: list, **kwargs: dict, ) -> list: - return self.validate( + tags = self.validate( "tags", expected_types=[list], required=False, default=[], **kwargs, ) + # Force all tags to be lowercase + return [tag.lower() for tag in tags] def validate_test( self, From 9b1fd658d6f2736861d489706a8b1a1cb587bf99 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Tue, 12 Nov 2024 09:53:32 -0600 Subject: [PATCH 13/19] Burp Enterprise: Support newer format (#11220) * Burp Enterprise: Support newer format * Forgot partially updated test * Add other tests * Correct tests --- dojo/settings/.settings.dist.py.sha256sum | 2 +- dojo/settings/settings.dist.py | 2 + dojo/templatetags/display_tags.py | 7 +- dojo/tools/burp_enterprise/parser.py | 391 +- .../many_vulns_updated_format.html | 7391 +++++++++++++++++ .../tools/test_burp_enterprise_parser.py | 39 +- 6 files changed, 7633 insertions(+), 199 deletions(-) create mode 100644 unittests/scans/burp_enterprise/many_vulns_updated_format.html diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum index 593f8b129d..59acc056a4 100644 --- a/dojo/settings/.settings.dist.py.sha256sum +++ b/dojo/settings/.settings.dist.py.sha256sum @@ -1 +1 @@ -60628ca4667641350d3d1854d1a6f863ce2ddeefa4f6e5df83f7e11a700cde0e +58e2f6cb0ed2c041fe2741d955b72cb7540bfb0923f489d6324717fcf00039da diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 2c9ff2c7b9..2571d99b0c 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1744,6 +1744,8 @@ def saml2_attrib_map_format(dict): "ELSA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html "ELBA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html "RXSA": "https://errata.rockylinux.org/", # e.g. https://errata.rockylinux.org/RXSA-2024:4928 + "CAPEC": "https://capec.mitre.org/data/definitions/&&.html", # e.g. https://capec.mitre.org/data/definitions/157.html + "CWE": "https://cwe.mitre.org/data/definitions/&&.html", # e.g. https://cwe.mitre.org/data/definitions/79.html "TEMP": "https://security-tracker.debian.org/tracker/", # e.g. https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF } # List of acceptable file types that can be uploaded to a given object via arbitrary file upload diff --git a/dojo/templatetags/display_tags.py b/dojo/templatetags/display_tags.py index 7b634febf6..3fa030d90a 100644 --- a/dojo/templatetags/display_tags.py +++ b/dojo/templatetags/display_tags.py @@ -781,7 +781,12 @@ def vulnerability_url(vulnerability_id): for key in settings.VULNERABILITY_URLS: if vulnerability_id.upper().startswith(key): if "&&" in settings.VULNERABILITY_URLS[key]: - return settings.VULNERABILITY_URLS[key].split("&&")[0] + str(vulnerability_id) + settings.VULNERABILITY_URLS[key].split("&&")[1] + # Process specific keys specially if need + if key in ["CAPEC", "CWE"]: + vuln_id = str(vulnerability_id).replace(f"{key}-", "") + else: + vuln_id = str(vulnerability_id) + return f'{settings.VULNERABILITY_URLS[key].split("&&")[0]}{vuln_id}{settings.VULNERABILITY_URLS[key].split("&&")[1]}' return settings.VULNERABILITY_URLS[key] + str(vulnerability_id) return "" diff --git a/dojo/tools/burp_enterprise/parser.py b/dojo/tools/burp_enterprise/parser.py index aab8e56524..052d8a80f8 100644 --- a/dojo/tools/burp_enterprise/parser.py +++ b/dojo/tools/burp_enterprise/parser.py @@ -1,7 +1,7 @@ import logging import re -from lxml import etree +from lxml import etree, html from dojo.models import Endpoint, Finding @@ -9,6 +9,16 @@ class BurpEnterpriseParser: + vulnerability_list_xpath = ( + "/html/body/div/div[contains(@class, 'section details')]/div[contains(@class, 'issue-container')]" + ) + table_contents_xpath = "/html/body/div/div[contains(@class, 'section') and .//table[contains(@class, 'issue-table')]]" + description_headers = ["issue detail", "issue description"] + request_response_headers = ["request", "response"] + impact_headers = ["issue background", "issue remediation"] + mitigation_headers = ["remediation detail", "remediation background"] + references_headers = ["vulnerability classifications", "references"] + def get_scan_types(self): return ["Burp Enterprise Scan"] @@ -19,230 +29,231 @@ def get_description_for_scan_types(self, scan_type): return "Import Burp Enterprise Edition findings in HTML format" def get_findings(self, filename, test): - parser = etree.HTMLParser() - tree = etree.parse(filename, parser) + tree = html.parse(filename) if tree: return self.get_items(tree, test) return () - def get_content(self, container): + def _get_endpoints_title_severity_mapping(self, tree: etree.ElementTree) -> dict[str, str]: + """ + Construct a dict that contains mappings of endpoints and severities by a a title key. + + Example: { + "finding-title": { + "title": "finding-title", + "severity: "Medium", + "cwe": None, + "endpoints: [ + "http://127.0.0.1/path/A", + "http://127.0.0.1/path/B", + ], + } + } + """ + finding_mapping = {} + table_contents = tree.xpath(self.table_contents_xpath) + for table in table_contents: + # There is only one header in this div, so we will get a string back here + base_endpoint = table.xpath("h1")[0].text.replace("Issues found on ", "").removesuffix("/") + # Iterate over the table of endpoint paths and severities + title = None + for entry in table.xpath("table[contains(@class, 'issue-table')]/tbody/tr"): + # The etree.element with a class of "issue-type-row" is the title of the finding + if "issue-type-row" in entry.classes: + # The structure of this section is consistent + # ... [number-of-instances] + title = " ".join(entry.xpath("td")[0].text.strip().split(" ")[:-1]) + # Add the finding title as a new entry if needed + if title not in finding_mapping: + finding_mapping[title] = { + "title": title, + "severity": None, + "cwe": None, + "endpoints": [], + } + else: + # The structure of this section is consistent + # ... + # ... + # Quick check to determine if we need to move to the + path = entry.xpath("td")[0].text.strip() + severity = entry.xpath("td")[1].text.strip() + # Update the finding_mapping + finding_mapping[title]["endpoints"].append(f"{base_endpoint}/{path.removeprefix('/')}") + finding_mapping[title]["severity"] = severity + + return finding_mapping + + def _get_content(self, container: etree.Element): + # quick exit in case container is not found s = "" + if container is None or (isinstance(container, list) and len(list) == 0): + return s + # Do some extra processing as needed if ( container.tag == "div" and container.text is not None and not container.text.isspace() and len(container.text) > 0 ): - s += ( + s += re.sub(r"[ \t]+", " ", ( "".join(container.itertext()) .strip() .replace("Snip", "\n<-------------- Snip -------------->") .replace("\t", "") - ) + )) else: for elem in container.iterchildren(): if elem.text is not None and elem.text.strip() != "": + stripped_text = elem.text.strip() if elem.tag == "a": - s += ( - "(" - + elem.text - + ")[" - + elem.attrib["href"] - + "]" - + "\n" - ) + value = "[" + stripped_text + "](" + elem.attrib["href"] + ")" + "\n" elif elem.tag == "p": - s += elem.text + "\n" + value = elem.text_content().strip().replace("\n", "") + elif elem.tag == "b": + value = f"**{stripped_text}**" elif elem.tag == "li": - s += "* " - if elem.text is not None: - s += elem.text + "\n" - elif elem.text.isspace(): - s += list(elem.itertext())[0] + value = "- " + if stripped_text is not None: + value += stripped_text + "\n" + elif stripped_text.isspace(): + value = list(elem.itertext())[0] elif elem.tag == "div" or elem.tag == "span": - s += elem.text.strip() + "\n" + value = elem.text_content().strip().replace("\n", "") + "\n" else: continue + s += re.sub(r"\s+", " ", value) else: - s += self.get_content(elem) + s += self._get_content(elem) return s - # Get the endpoints and severities associated with each vulnerability - def pre_allocate_items(self, tree): - items = [] - endpoint_text = tree.xpath( - "/html/body/div/div[contains(@class, 'section')]/h1", - ) - severities = tree.xpath( - "/html/body/div/div[contains(@class, 'section')]/table[contains(@class, 'issue-table')]/tbody", - ) - endpoint_text = [ - endpoint - for endpoint in endpoint_text - if ("Issues found" in "".join(endpoint.itertext()).strip()) - ] - - for index in range(len(severities)): - url = endpoint_text[index].text[16:] - sev_table = list(severities[index].iter("tr")) - - title = "" - endpoint = "" - for item in sev_table: - item_list = list(item.iter("td")) - if len(item_list) == 1: - title_list = item_list[0].text.strip().split(" ") - title = " ".join(title_list[:-1]) - else: - endpoint = item_list[0].text.strip() - severity = item_list[1].text.strip() - vuln = {} - vuln["Severity"] = severity - vuln["Title"] = title - vuln["Description"] = "" - vuln["Impact"] = "" - vuln["Mitigation"] = "" - vuln["References"] = "" - vuln["CWE"] = "" - vuln["Response"] = "" - vuln["Request"] = "" - vuln["Endpoint"] = [url + endpoint] - vuln["URL"] = url - items.append(vuln) - return items - - def get_items(self, tree, test): - # Check that there is at least one vulnerability (the vulnerabilities - # table is absent when no vuln are found) - vulns = tree.xpath( - "/html/body/div/div[contains(@class, 'section details')]/div[contains(@class, 'issue-container')]", - ) - if len(vulns) == 0: - return [] - - dict_index = 0 - description = ["Issue detail:", "Issue description"] - reqrsp = ["Request", "Response"] - impact = ["Issue background", "Issue remediation"] - mitigation = ["Remediation detail:", "Remediation background"] - references = ["Vulnerability classifications", "References"] - vuln = None - merge = False - items = self.pre_allocate_items(tree) - for issue in vulns: - elems = list(issue.iterchildren()) - curr_vuln = items[dict_index] - if vuln is None or ( - curr_vuln["Title"] != vuln["Title"] - or curr_vuln["URL"] != vuln["URL"] - ): - vuln = curr_vuln - merge = False - else: - if curr_vuln["Endpoint"][0] not in vuln["Endpoint"]: - vuln_list = vuln["Endpoint"] - vuln_list.append(curr_vuln["Endpoint"][0]) - vuln["Endpoint"] = vuln_list - merge = True - - for index in range(3, len(elems), 2): - primary, secondary = ( - elems[index].text.strip(), - elems[index + 1], - ) - field = self.get_content(secondary) - webinfo = primary.split(":")[0] - details = "**" + primary + "**\n" + field + "\n\n" - # Description - if primary in description: - if merge: - if field != vuln["Description"].split("\n")[1]: - vuln["Description"] = ( - vuln["Description"] + field + "\n\n" - ) - else: - vuln["Description"] = vuln["Description"] + details - # Impact - if primary in impact and not merge: - vuln["Impact"] = vuln["Impact"] + details - # Mitigation - if primary in mitigation and not merge: - vuln["Mitigation"] = vuln["Mitigation"] + details - # References and CWE - if primary in references and not merge: - if len(vuln["CWE"]) < 1 and field.find("CWE") != -1: - vuln["CWE"] += str(self.get_cwe(field)) - vuln["References"] = vuln["References"] + details - # Request and Response pairs - if webinfo in reqrsp: - if webinfo == "Request": - vuln["Request"] = vuln["Request"] + field + "SPLITTER" + def _format_bulleted_lists(self, finding_details: dict, div_element: etree.ElementTree) -> tuple[str, list[str]]: + """Create a mapping of bulleted lists with links into a formatted list, as well as the raw values.""" + formatted_string = "" + content_list = [] + for a_tag in div_element.xpath("ul/li/a"): + content = re.sub(r"\s+", " ", a_tag.text.strip()) + link = a_tag.attrib["href"] + formatted_string += f"- [{content}]({link})\n" + content_list.append(content) + + return formatted_string, content_list + + def _set_or_append_content(self, finding_details: dict, header: str, div_element: etree.ElementTree) -> None: + """Determine whether we should set or append content in a given place.""" + header = header.replace(":", "") + field = None + # description + if header.lower() in self.description_headers: + field = "description" + content = self._get_content(div_element) + elif header.lower() in self.impact_headers: + field = "impact" + content = self._get_content(div_element) + elif header.lower() in self.mitigation_headers: + field = "mitigation" + content = self._get_content(div_element) + elif header.lower() in self.references_headers: + field = "references" + content, data_list = self._format_bulleted_lists(finding_details, div_element) + # process the vulnerability_ids if we have them + if header.lower() == "vulnerability classifications": + for item in data_list: + cleaned_item = item.split(":")[0] + if ( + finding_details["cwe"] is None + and (cwe_search := re.search("CWE-([0-9]*)", cleaned_item, re.IGNORECASE)) + ): + finding_details["cwe"] = int(cwe_search.group(1)) + if "vulnerability_ids" not in finding_details: + finding_details["vulnerability_ids"] = [cleaned_item] else: - vuln["Response"] = ( - vuln["Response"] + field + "SPLITTER" - ) - - dict_index += 1 - - return list(self.create_findings(items, test)) - - def get_cwe(self, vuln_references): - # Match only the first CWE! - vuln_references = vuln_references.split(":")[0] - cweSearch = re.search("CWE-([0-9]*)", vuln_references, re.IGNORECASE) - if cweSearch: - return cweSearch.group(1) - return 0 - - def create_findings(self, items, test): - # Dictonary to hold the aggregated findings with: - # - key: the concatenated aggregate keys - # - value: the finding - dupes = {} - for details in items: - if details.get("Description") == "": - continue - aggregateKeys = "{}{}{}{}".format( - details.get("Title"), - details.get("Description"), - details.get("CWE"), - details.get("Endpoint"), - ) - detail_cwe = None - if details.get("CWE"): - detail_cwe = int(details.get("CWE")) - find = Finding( - title=details.get("Title"), - description=details.get("Description"), + finding_details["vulnerability_ids"].append(cleaned_item) + elif header.lower() in self.request_response_headers: + field = "request_response" + content = self._get_content(div_element) + if header.lower() == "request": + if "requests" not in finding_details: + finding_details["requests"] = [content] + else: + finding_details["requests"].append(content) + if header.lower() == "response": + if "responses" not in finding_details: + finding_details["responses"] = [content] + else: + finding_details["responses"].append(content) + return + + else: + return + + formatted_content = f"**{header}**:\n{content}\n" + if (existing_field := finding_details.get(field)) is not None: + if header not in existing_field: + finding_details[field] += f"{formatted_content}\n---\n" + else: + finding_details[field] = f"{formatted_content}\n---\n" + + def _parse_elements_by_h3_element(self, issue: etree.Element, finding_details: dict) -> None: + for header_element in issue.xpath("h3"): + if (div_element := header_element.getnext()) is not None and div_element.tag == "div": + # Determine where to put the content + self._set_or_append_content(finding_details, header_element.text.strip(), div_element) + + def get_items(self, tree: etree.ElementTree, test): + finding_details = self._get_endpoints_title_severity_mapping(tree) + for issue in tree.xpath(self.vulnerability_list_xpath): + # Get the title of the current finding + title = issue.xpath("h2")[0].text.strip() + # Fetch the bodies of the issues and process them + self._parse_elements_by_h3_element(issue, finding_details[title]) + # Accommodate a newer format where request/response pairs in a separate div + for request_response_div in issue.xpath("div[contains(@class, 'evidence-container')]"): + # Fetch the bodies of the issues and process them + self._parse_elements_by_h3_element(request_response_div, finding_details[title]) + # Merge the requests and response into a single dict + requests = finding_details[title].pop("requests", []) + responses = finding_details[title].pop("responses", []) + finding_details[title]["request_response_pairs"] = [ + { + "request": requests[i] if i < len(requests) else None, + "response": responses[i] if i < len(responses) else None, + } + for i in range(max(len(requests), len(responses))) + ] + + return list(self.create_findings(finding_details, test)) + + def create_findings(self, findings_dict: dict[str, dict], test): + # Pop off a few items to be processes after the finding is saved + findings = [] + for finding_dict in findings_dict.values(): + endpoints = finding_dict.pop("endpoints", []) + request_response_pairs = finding_dict.pop("request_response_pairs", []) + vulnerability_ids = finding_dict.pop("vulnerability_ids", []) + # Crete the finding from the rest of the dict + finding = Finding( test=test, - severity=details.get("Severity"), - mitigation=details.get("Mitigation"), - references=details.get("References"), - impact=details.get("Impact"), - cwe=detail_cwe, false_p=False, duplicate=False, out_of_scope=False, mitigated=None, static_finding=False, dynamic_finding=True, - nb_occurences=1, + **finding_dict, ) + # Add the unsaved versions of the other things + # Endpoints + finding.unsaved_endpoints = [Endpoint.from_uri(endpoint) for endpoint in endpoints] + # Request Response Pairs - if len(details.get("Request")) > 0: - requests = details.get("Request").split("SPLITTER")[:-1] - responses = details.get("Response").split("SPLITTER")[:-1] - unsaved_req_resp = [] - for index in range(len(requests)): - unsaved_req_resp.append( - {"req": requests[index], "resp": responses[index]}, - ) - find.unsaved_req_resp = unsaved_req_resp - - find.unsaved_endpoints = [] - dupes[aggregateKeys] = find - - for url in details.get("Endpoint"): - find.unsaved_endpoints.append(Endpoint.from_uri(url)) + finding.unsaved_req_resp = [ + {"req": request_response.get("request"), "resp": request_response.get("response")} + for request_response in request_response_pairs + ] + # Vulnerability IDs + finding.unsaved_vulnerability_ids = vulnerability_ids + # Add the finding to the final list + findings.append(finding) - return list(dupes.values()) + return findings diff --git a/unittests/scans/burp_enterprise/many_vulns_updated_format.html b/unittests/scans/burp_enterprise/many_vulns_updated_format.html new file mode 100644 index 0000000000..614ac1413b --- /dev/null +++ b/unittests/scans/burp_enterprise/many_vulns_updated_format.html @@ -0,0 +1,7391 @@ + + + + Scan Remediation Report #150 + + + + + + +
+
+ +
+
+

Scan Remediation

+

Report

+
+ +
+ +
+ Generated by Burp Suite Enterprise Edition | 2024-11-06 12:41 PM +
+ +
+ + + + + + + +
+
Site name:
+
m
+
Scanned:
+ + + + + + + + + + + +
+
Start:
+
+
2024-11-05 4:59 PM
+
+
End:
+
+
2024-11-05 5:13 PM
+
+
Duration:
+
13m 53s
+
Status:
+
Completed
+
+
Start URLs:
+
https://instance.example.com/fe/m3/m-login
+ +
In-scope URL prefixes:
+
https://instance.example.com/fe/m3/
+
https://instance.example.com/m/v3/
+ +
Application logins:
+
DEMOMX m login only (no clerk)
+ +
Reference:
+ +
+ #150 +
+
+
+ +
+ + + + + + + +
+

Issues by severity

+ + + + + + + + + + + + + + + + + + + + + + + +
High:0
Medium:0
Low:11
Information:44
Total issues found:55
+
+

Scan statistics

+ + + + + + + + + + + + + + + + + + + + + + + +
Discovered URLs:44
Audited URLs without errors:9
Audited URLs with errors:1
Requests made:12354
Network errors:28
+
+
+ +
+ +
+

Issues found on https://instance.example.com


URLs By issue typeSeverityConfidenceMore detail
Strict transport security not enforced [7]
LowCertain>>
LowCertain>>
LowCertain>>
LowCertain>>
LowCertain>>
LowCertain>>
LowCertain>>
Open redirection (DOM-based) [4]
LowTentative>>
LowTentative>>
LowTentative>>
LowTentative>>
TLS certificate [1]
InfoCertain>>
Content security policy: allows untrusted script execution [7]
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
Content security policy: allows untrusted style execution [7]
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
Content security policy: allows form hijacking [7]
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
Cross-origin resource sharing [6]
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
Cross-origin resource sharing: arbitrary origin trusted [6]
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
InfoCertain>>
Robots.txt file [1]
InfoCertain>>
Cacheable HTTPS response [1]
InfoCertain>>
DOM data manipulation (DOM-based) [6]
InfoFirm>>
InfoFirm>>
InfoFirm>>
InfoFirm>>
InfoFirm>>
InfoFirm>>
+
+
+ +
+

Issues found on http://instance.example.com

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URLs By issue typeSeverityConfidenceMore detail
Input returned in response (reflected) [2]
InfoCertain>>
InfoCertain>>
+
+ +
+ +
+

More details for https://instance.example.com

+
+ +
+
+ +

Strict transport security not enforced

+ /fe/m3/m-login + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/action-log + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 118 + + {"name":"mLoginAttempt","category":"mConsolefe","data":{"deviceType":"Desktop","mName":""}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/event-log + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730843990,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:50 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/login-m-by-name + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/request-m-password-reset + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/translations + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/translations/locales + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.href and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.href and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    +
    https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'"/iepuap2p8w/><iepuap2p8w/\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'"/iepuap2p8w/><iepuap2p8w/\>fwqsx8nplw&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Cannot read properties of null (reading 'once')","name":"TypeError","constructor_name":"TypeError","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&","query_string":"?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&","user_ip":"$remote_ip"},"client":{"runtime_ms":53,"timestamp":1730843997,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"TypeError","message":"Cannot read properties of null (reading 'once')","description":"Uncaught TypeError: Cannot read properties of null (reading 'once')"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202367,"method":"[anonymous]","colno":10},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202406,"method":"InfoReceiver.doXhr","colno":11}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"}]},"context":""}}
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get href (<anonymous>:1:249544)
    +at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
    +at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
    +at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
    +at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
    +at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)
    +at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)
    +at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.XMhUr (<anonymous>:1:544502)
    +at _0x13dcf0 (<anonymous>:1:558761)
    +at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
    +at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
    +at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
    +at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
    +at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
    +at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
    +at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
  • + +
+
+
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.search and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    +
    ?kpiqhi5l29=kpiqhi5l29%27%22`'"/kpiqhi5l29/><kpiqhi5l29/\>ba6kcvqqrk&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Cannot read properties of null (reading 'once')","name":"TypeError","constructor_name":"TypeError","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&","query_string":"?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&","user_ip":"$remote_ip"},"client":{"runtime_ms":53,"timestamp":1730843997,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"TypeError","message":"Cannot read properties of null (reading 'once')","description":"Uncaught TypeError: Cannot read properties of null (reading 'once')"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202367,"method":"[anonymous]","colno":10},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202406,"method":"InfoReceiver.doXhr","colno":11}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"}]},"context":""}}
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get search (<anonymous>:1:248279)
    +at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
    +at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
    +at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
    +at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
    +at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)
    +at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)
    +at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.XMhUr (<anonymous>:1:544502)
    +at _0x13dcf0 (<anonymous>:1:558761)
    +at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
    +at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
    +at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
    +at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
    +at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
    +at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
    +at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
  • + +
+
+
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.href and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.href and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    +
    https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'"/bih4qyzpvt/><bih4qyzpvt/\>sbxdhx44wf&#bih4qyzpvt=bih4qyzpvt%27%22`'"/bih4qyzpvt/><bih4qyzpvt/\>sbxdhx44wf&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Request failed with status code 500","name":"Error","constructor_name":"Error","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&#bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&","query_string":"?esux3absmq=esux3absmq%27%22`'\"/esux3absmq/><esux3absmq/\\>z0k5afa1h6&","user_ip":"$remote_ip"},"client":{"runtime_ms":497,"timestamp":1730843998,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"Error","message":"Request failed with status code 500","description":"Request failed with status code 500"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":50688,"method":"XMLHttpRequest.onloadend","colno":7},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51664,"method":"settle","colno":12},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51368,"method":"createError","colno":15}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.href"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get href (<anonymous>:1:249544)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.search"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get search (<anonymous>:1:248279)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997220,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997179","status_code":0,"start_time_ms":1730843997180,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997221","status_code":0,"start_time_ms":1730843997221,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"info","type":"network","timestamp_ms":1730843997482,"body":{"method":"POST","url":"https://api.rollbar.com:443/api/1/item/","status_code":200,"start_time_ms":1730843997213,"end_time_ms":1730843997482,"request_content_type":"application/json","subtype":"xhr","response_content_type":"application/json; charset=utf-8"},"source":"client"},{"level":"error","type":"error","timestamp_ms":1730843997563,"body":{"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"},"source":"client","uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9"}]},"context":""}}
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get href (<anonymous>:1:249544)
    +at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
    +at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
    +at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
    +at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
    +at m.handleUnhandledRejection (https://instance.example.com/fe/js/cv-script.js:201791:19920)
    +at n (https://instance.example.com/fe/js/cv-script.js:201791:36330)
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.XMhUr (<anonymous>:1:544502)
    +at _0x13dcf0 (<anonymous>:1:558761)
    +at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
    +at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
    +at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
    +at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
    +at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
    +at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
    +at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
  • + +
+
+
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.search and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    +
    ?esux3absmq=esux3absmq%27%22`'"/esux3absmq/><esux3absmq/\>z0k5afa1h6&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Request failed with status code 500","name":"Error","constructor_name":"Error","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&#bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&","query_string":"?esux3absmq=esux3absmq%27%22`'\"/esux3absmq/><esux3absmq/\\>z0k5afa1h6&","user_ip":"$remote_ip"},"client":{"runtime_ms":497,"timestamp":1730843998,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"Error","message":"Request failed with status code 500","description":"Request failed with status code 500"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":50688,"method":"XMLHttpRequest.onloadend","colno":7},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51664,"method":"settle","colno":12},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51368,"method":"createError","colno":15}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.href"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get href (<anonymous>:1:249544)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.search"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get search (<anonymous>:1:248279)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997220,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997179","status_code":0,"start_time_ms":1730843997180,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997221","status_code":0,"start_time_ms":1730843997221,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"info","type":"network","timestamp_ms":1730843997482,"body":{"method":"POST","url":"https://api.rollbar.com:443/api/1/item/","status_code":200,"start_time_ms":1730843997213,"end_time_ms":1730843997482,"request_content_type":"application/json","subtype":"xhr","response_content_type":"application/json; charset=utf-8"},"source":"client"},{"level":"error","type":"error","timestamp_ms":1730843997563,"body":{"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"},"source":"client","uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9"}]},"context":""}}
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get search (<anonymous>:1:248279)
    +at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
    +at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
    +at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
    +at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
    +at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
    +at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
    +at m.handleUnhandledRejection (https://instance.example.com/fe/js/cv-script.js:201791:19920)
    +at n (https://instance.example.com/fe/js/cv-script.js:201791:36330)
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.XMhUr (<anonymous>:1:544502)
    +at _0x13dcf0 (<anonymous>:1:558761)
    +at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
    +at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
    +at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
    +at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
    +at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
    +at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
    +at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
  • + +
+
+
+
+
+ +
+
+
+ +

TLS certificate

+ / + +

Issue detail:

+
+ The server presented a valid, trusted TLS certificate. This issue is purely + informational.

The server presented the following certificates:

+

Server certificate

+ + + + + + + + + + + + + + + + + +
Issued to:  *.sandbox.example.com
Issued by:  Amazon RSA 2048 M02
Valid from:  Wed Feb 28 00:00:00 UTC 2024
Valid to:  Sat Mar 29 23:59:59 UTC 2025
+

Certificate chain #1

+ + + + + + + + + + + + + + + + + +
Issued to:  Amazon RSA 2048 M02
Issued by:  Amazon Root CA 1
Valid from:  Tue Aug 23 22:25:30 UTC 2022
Valid to:  Fri Aug 23 22:25:30 UTC 2030
+

Certificate chain #2

+ + + + + + + + + + + + + + + + + +
Issued to:  Amazon Root CA 1
Issued by:  Starfield Services Root Certificate Authority - G2
Valid from:  Mon May 25 12:00:00 UTC 2015
Valid to:  Thu Dec 31 01:00:00 UTC 2037
+

Certificate chain #3

+ + + + + + + + + + + + + + + + + +
Issued to:  Starfield Services Root Certificate Authority - G2
Issued by:  Starfield Class 2 Certification Authority
Valid from:  Wed Sep 02 00:00:00 UTC 2009
Valid to:  Wed Jun 28 17:39:16 UTC 2034
+

Certificate chain #4

+ + + + + + + + + + + + + + + + + +
Issued to:  Starfield Class 2 Certification Authority
Issued by:  Starfield Class 2 Certification Authority
Valid from:  Tue Jun 29 17:39:16 UTC 2004
Valid to:  Thu Jun 29 17:39:16 UTC 2034
+
+ +

+ Issue background: +

+
+

TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between + the browser and server, and to provide authentication of the server's identity. To serve this + purpose, the server must present an TLS certificate that is valid for the server's hostname, is + issued by a trusted authority and is valid for the current date. If any one of these + requirements is not met, TLS connections to the server will not provide the full protection for + which TLS is designed.

+

It should be noted that various attacks exist against TLS in general, and in the context of HTTPS + web connections in particular. It may be possible for a determined and suitably-positioned + attacker to compromise TLS connections without user detection even when a valid TLS certificate + is used.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+
+ +
+
+
+ +

Content security policy: allows untrusted script execution

+ /fe/m3/m-login + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ + +
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/action-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 107 + + {"name":"ForgotPasswordButtonClicked","category":"mConsolefe","data":{"deviceType":"Desktop"}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:26 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/event-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730843990,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:50 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/translations + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/translations/locales + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Content security policy: allows untrusted style execution

+ /fe/m3/m-login + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/action-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 107 + + {"name":"ForgotPasswordButtonClicked","category":"mConsolefe","data":{"deviceType":"Desktop"}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:26 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/event-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730843990,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:50 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/translations + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/translations/locales + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Content security policy: allows form hijacking

+ /fe/m3/m-login + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/action-log + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 107 + + {"name":"ForgotPasswordButtonClicked","category":"mConsolefe","data":{"deviceType":"Desktop"}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:26 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/event-log + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 301 + + {"name":"mLoginAttempted","category":"mConsoleEvents","timestamp":1730843986,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previousURL" +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/translations + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/translations/locales + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/action-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.705270236.1730844023; _ga_0CGDK6Q0X4=GS1.1.1730844022.1.0.1730844028.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 118 + + {"name":"mLoginAttempt","category":"mConsolefe","data":{"deviceType":"Desktop","mName":""}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:29 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/event-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.567957676.1730844025; _ga_0CGDK6Q0X4=GS1.1.1730844024.1.0.1730844029.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730844029,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:30 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.766182157.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.0.1730844022.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:23 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.496830287.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.1.1730844022.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:23 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/translations + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2145941182.1730844052; _ga_0CGDK6Q0X4=GS1.1.1730844051.1.1.1730844054.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://instance.example.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:04:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/translations/locales + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://instance.example.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:09:09 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/action-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://aazpkgamubbk.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.705270236.1730844023; _ga_0CGDK6Q0X4=GS1.1.1730844022.1.0.1730844028.0.0.0 + Origin: https://aazpkgamubbk.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 118 + + {"name":"mLoginAttempt","category":"mConsolefe","data":{"deviceType":"Desktop","mName":""}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:15 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/event-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://nyc.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.567957676.1730844025; _ga_0CGDK6Q0X4=GS1.1.1730844024.1.0.1730844029.0.0.0 + Origin: https://nyc.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730844029,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:55 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://zwa.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.766182157.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.0.1730844022.0.0.0 + Origin: https://zwa.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:00 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://wsparhyjqvka.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.496830287.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.1.1730844022.0.0.0 + Origin: https://wsparhyjqvka.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:21 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/translations + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://tjelewarvblp.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2145941182.1730844052; _ga_0CGDK6Q0X4=GS1.1.1730844051.1.1.1730844054.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://tjelewarvblp.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:04:37 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/translations/locales + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://pduoenagjukk.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://pduoenagjukk.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:09:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Robots.txt file

+ /robots.txt + +

Issue detail:

+
+ The web server contains a robots.txt file. +
+ +

+ Issue background: +

+
+

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, + about locations within the web site that robots are allowed, or not allowed, to crawl and index. +

+

The presence of the robots.txt does not in itself present any kind of security vulnerability. + However, it is often used to identify restricted or private areas of a site's contents. The + information in the file may therefore help an attacker to map out the site's contents, + especially if some of the locations identified are not linked from elsewhere in the site. If the + application relies on robots.txt to protect access to these areas, and does not enforce proper + access control over them, then this presents a serious vulnerability.

+
+ +

+ Issue remediation: +

+
+

The robots.txt file is not itself a security threat, and its correct use can represent good + practice for non-security reasons. You should not assume that all web robots will honor the + file's instructions. Rather, assume that attackers will pay close attention to any locations + identified in the file. Do not rely on robots.txt to provide any kind of protection over + unauthorized access.

+
+ +

Vulnerability classifications

+ + +
+

Request:

+
GET /robots.txt HTTP/1.1 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + +
+
+
+

Response:

+
HTTP/1.1 200 OK + Date: Tue, 05 Nov 2024 21:59:51 GMT + Content-Type: text/plain + Content-Length: 195 + Connection: close + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Last-Modified: Tue, 15 Oct 2024 15:56:17 GMT + ETag: "c3-62485fe5f1553-gzip" + Accept-Ranges: bytes + Vary: Accept-Encoding + + User-agent: * + Disallow: /app + Disallow: /apidocs/example-app-install.pdf + Disallow: /dashboard/ + Disallow: /m2/ + Disallow: /m/ + Disallow: /js/ + Disallow: /modules/api/fetch-dictionary.php +
+
+
+
+ +
+
+
+ +

Cacheable HTTPS response

+ /fe/m3/m-login + +

+ Issue description: +

+
+

Unless directed otherwise, browsers may store a local cached copy of content received from web + servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If + sensitive information in application responses is stored in the local cache, then this may be + retrieved by other users who have access to the same computer at a future time.

+
+ +

+ Issue remediation: +

+
+

Applications should return caching directives instructing browsers not to store local copies of + any sensitive data. Often, this can be achieved by configuring the web server to prevent caching + for relevant paths within the web root. Alternatively, most web development platforms allow you + to control the server's caching directives from within individual scripts. Ideally, the web + server should return the following HTTP headers in all responses containing sensitive content: +

+
    +
  • Cache-control: no-store
  • +
  • Pragma: no-cache
  • +
+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.pathname and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.pathname and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    ///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get pathname (<anonymous>:1:249642)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:13)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +
  • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.search and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    ?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get search (<anonymous>:1:248279)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:23)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +
  • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.hash and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.hash and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    #hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get hash (<anonymous>:1:249429)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:31)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +
  • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.pathname and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.pathname and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    ///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get pathname (<anonymous>:1:249642)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:13)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
    +at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
    +at https://instance.example.com/fe/js/cv-script.js:220724:27
    +
  • + +
  • +

    This was triggered by a loadend event.

    +
  • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.search and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    ?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get search (<anonymous>:1:248279)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:23)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
    +at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
    +at https://instance.example.com/fe/js/cv-script.js:220724:27
    +
  • + +
  • +

    This was triggered by a loadend event.

    +
  • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.hash and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+ + +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.hash and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    +
    #hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The previous value reached the sink:

    +
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
  • + +
  • +

    The stack trace at source was:

    +
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
    +at get hash (<anonymous>:1:249429)
    +at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:31)
    +at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
    +at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
    +at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at fn (https://instance.example.com/fe/js/app.js:151:20)
    +at 1 (https://instance.example.com/fe/js/app.js:172609:18)
    +at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
    +at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +at https://instance.example.com/fe/js/app.js:994:18
    +
  • + +
  • +

    The stack trace at the sink was:

    +
    at Object.dXSzc (<anonymous>:1:107608)
    +at Object.skeuk (<anonymous>:1:548616)
    +at History.replaceState (<anonymous>:1:548864)
    +at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
    +at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
    +at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
    +at https://instance.example.com/fe/js/cv-script.js:220724:27
    +
  • + +
  • +

    This was triggered by a loadend event.

    +
  • + +
+
+
+
+
+ +
+
+ +
+

More details for http://instance.example.com

+
+ +
+
+ +

Input returned in response (reflected)

+ /fe/m3/m-login + +

Issue detail:

+
+ The value of the URL path folder 1 is copied into the application's response. +
+ +

+ Issue background: +

+
+

Reflection of input arises when data is copied from a request and echoed into the application's + immediate response.

+

Input being returned in application responses is not a vulnerability in its own right. However, + it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open + redirection, content spoofing, and response header injection. Additionally, some server-side + vulnerabilities such as SQL injection are often easier to identify and exploit when input is + returned in responses. In applications where input retrieval is rare and the environment is + resistant to automated testing (for example, due to a web application firewall), it might be + worth subjecting instances of it to focused manual testing.

+
+ +

Vulnerability classifications

+ + +
+

Request:

+
GET /fes56j3607g3/m3/m-login HTTP/1.1 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/1.1 301 Moved Permanently + Server: awselb/2.0 + Date: Tue, 05 Nov 2024 22:04:46 GMT + Content-Type: text/html + Content-Length: 134 + Connection: close + Location: https://instance.example.com:443/fes56j3607g3/m3/m-login + + <html> + <head><title>301 Moved Permanently</title></head> + <body> + <center><h1>301 Moved Permanently</h1></center> + </body> + </html> +
+
+
+
+ +

Input returned in response (reflected)

+ /fe/m3/m-login + +

Issue detail:

+
+ The value of the URL path folder 2 is copied into the application's response. +
+ +

+ Issue background: +

+
+

Reflection of input arises when data is copied from a request and echoed into the application's + immediate response.

+

Input being returned in application responses is not a vulnerability in its own right. However, + it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open + redirection, content spoofing, and response header injection. Additionally, some server-side + vulnerabilities such as SQL injection are often easier to identify and exploit when input is + returned in responses. In applications where input retrieval is rare and the environment is + resistant to automated testing (for example, due to a web application firewall), it might be + worth subjecting instances of it to focused manual testing.

+
+ +

Vulnerability classifications

+ + +
+

Request:

+
GET /fe/m3mx6wpfgqge/m-login HTTP/1.1 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/1.1 301 Moved Permanently + Server: awselb/2.0 + Date: Tue, 05 Nov 2024 22:05:07 GMT + Content-Type: text/html + Content-Length: 134 + Connection: close + Location: https://instance.example.com:443/fe/m3mx6wpfgqge/m-login + + <html> + <head><title>301 Moved Permanently</title></head> + <body> + <center><h1>301 Moved Permanently</h1></center> + </body> + </html> +
+
+
+
+ +
+ +
+ + + \ No newline at end of file diff --git a/unittests/tools/test_burp_enterprise_parser.py b/unittests/tools/test_burp_enterprise_parser.py index 0d28dfe26f..ec45b95c2f 100644 --- a/unittests/tools/test_burp_enterprise_parser.py +++ b/unittests/tools/test_burp_enterprise_parser.py @@ -22,13 +22,9 @@ def test_burp_enterprise_with_multiple_vulns(self): self.assertTrue(finding.dynamic_finding) self.assertEqual(942, finding.cwe) self.assertEqual("Cross-origin resource sharing: arbitrary origin trusted", finding.title) - description = """**Issue detail:** -The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.The application allowed access from the requested origin https://llqvfwgbsdau.com - -""" - self.assertEqual(description, finding.description) + self.assertIn("**Issue detail**:\nThe application implements an HTML5 cross-origin resource sharing (CORS) policy", finding.description) self.assertIn("An HTML5 cross-origin resource sharing (CORS) policy controls", finding.impact) - self.assertIn("(Web Security Academy: Cross-origin resource sharing (CORS))[https://portswigger.net/web-security/cors]", finding.references) + self.assertIn("[Web Security Academy: Cross-origin resource sharing (CORS)](https://portswigger.net/web-security/cors)", finding.references) self.assertEqual(1, len(finding.unsaved_endpoints)) self.assertEqual("example.com", finding.unsaved_endpoints[0].host) @@ -38,4 +34,33 @@ def test_burp_enterprise_with_multiple_vulns(self): self.assertTrue(finding.dynamic_finding) self.assertIsNone(finding.cwe) self.assertEqual("WAF Detected: redacted", finding.title) - self.assertIn("WAF tech. details : Cloud-based CDN, WAF & DDoS prevention", finding.description) + self.assertIn("**Issue detail**:\nFingerprint Details:\n\nWAF Type : redacted\nWAF tech. details : Cloud-based CDN, WAF & DDoS prevention", finding.description) + + def test_burp_enterprise_with_multiple_vulns_newer_format(self): + with open(path.join(path.dirname(__file__), "../scans/burp_enterprise/many_vulns_updated_format.html"), encoding="utf-8") as test_file: + parser = BurpEnterpriseParser() + findings = parser.get_findings(test_file, Test()) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + self.assertEqual(12, len(findings)) + + with self.subTest(i=0): + finding = findings[0] + self.assertEqual("Low", finding.severity) + self.assertTrue(finding.dynamic_finding) + self.assertEqual(523, finding.cwe) + self.assertEqual("Strict transport security not enforced", finding.title) + self.assertIn("**Issue description**:\nThe application fails to prevent users from connecting to it over unencrypted connections.", finding.description) + self.assertIn("**Issue remediation**:\nThe application should instruct web browsers to only access the application using HTTPS.", finding.impact) + self.assertIn("- [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security)", finding.references) + self.assertEqual(7, len(finding.unsaved_endpoints)) + self.assertEqual("instance.example.com", finding.unsaved_endpoints[0].host) + + with self.subTest(i=5): + finding = findings[5] + self.assertEqual("Info", finding.severity) + self.assertTrue(finding.dynamic_finding) + self.assertEqual(116, finding.cwe) + self.assertEqual("Content security policy: allows form hijacking", finding.title) + self.assertIn("**Issue detail**:\nThe content security policy doesn't prevent form hijacking", finding.description) From eb6537e8f1f05556161a341dfbf89ec35f12311a Mon Sep 17 00:00:00 2001 From: kiblik <5609770+kiblik@users.noreply.github.com> Date: Tue, 12 Nov 2024 16:54:41 +0100 Subject: [PATCH 14/19] feat(helm): Add support for staticName for initializer (#11237) --- helm/defectdojo/templates/_helpers.tpl | 4 ++++ helm/defectdojo/values.yaml | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index 14256e8819..c3e0026c2e 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -102,8 +102,12 @@ Create chart name and version as used by the chart label. {{- end -}} {{- define "initializer.jobname" -}} +{{- if .Values.initializer.staticName -}} +{{ .Release.Name }}-initializer +{{- else -}} {{ .Release.Name }}-initializer-{{- printf "%s" now | date "2006-01-02-15-04" -}} {{- end -}} +{{- end -}} {{/* Creates the array for DD_ALLOWED_HOSTS in configmap diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index b2d0422bc2..f480810d43 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -365,6 +365,11 @@ initializer: # @type: array extraVolumes: [] + # staticName defines whether name of the job will be the same (e.g., "defectdojo-initializer") + # or different every time - generated based on current time (e.g., "defectdojo-initializer-2024-11-11-18-57") + # This might be handy for ArgoCD deployments + staticName: false + postgresql: enabled: true auth: From 912386b1ebf0c0cd9fd2eafd420f0c3a0ba5db8a Mon Sep 17 00:00:00 2001 From: leofvo Date: Tue, 12 Nov 2024 16:59:53 +0100 Subject: [PATCH 15/19] fix(helm): add missing env config on job (#11016) * fix(helm): add missing env config on job The job isn't working well when using external database because the init container checking if the database is accessible isn't taking the same env values as the container that is initializing the database config * fix(helm): remove unused env * chore(helm): prefer using with over if --- helm/defectdojo/templates/initializer-job.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index b078a1fdc6..7ed4abbde5 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -66,6 +66,10 @@ spec: - secretRef: name: {{ $fullName }} optional: true + env: + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 8 }} + {{- end }} containers: {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -118,8 +122,8 @@ spec: name: {{ .Values.postgresqlha.postgresql.existingSecret }} key: postgresql-postgres-password {{- end }} - {{- if .Values.extraEnv }} - {{- toYaml .Values.extraEnv | nindent 8 }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 8 }} {{- end }} resources: {{- toYaml .Values.initializer.resources | nindent 10 }} From b079c374e27b08cccb2879163620dd0345536a24 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Tue, 12 Nov 2024 10:29:24 -0600 Subject: [PATCH 16/19] GHA Artifacts: Update to v4 (#11205) * GHA Artifacts: Update to v4 * segregate paths even further * Adjust artifact paths * Tweak paths again --- .../workflows/build-docker-images-for-testing.yml | 4 ++-- .github/workflows/fetch-oas.yml | 2 +- .github/workflows/integration-tests.yml | 12 ++++++++---- .github/workflows/k8s-tests.yml | 10 +++++++--- .github/workflows/release-drafter.yml | 2 +- .github/workflows/rest-framework-tests.yml | 10 +++++++--- 6 files changed, 26 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-docker-images-for-testing.yml b/.github/workflows/build-docker-images-for-testing.yml index c5753973ae..cd9c549494 100644 --- a/.github/workflows/build-docker-images-for-testing.yml +++ b/.github/workflows/build-docker-images-for-testing.yml @@ -49,8 +49,8 @@ jobs: # export docker images to be used in next jobs below - name: Upload image ${{ matrix.docker-image }} as artifact timeout-minutes: 10 - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: - name: ${{ matrix.docker-image }} + name: built-docker-image-${{ matrix.docker-image }}-${{ matrix.os }} path: ${{ matrix.docker-image }}-${{ matrix.os }}_img retention-days: 1 diff --git a/.github/workflows/fetch-oas.yml b/.github/workflows/fetch-oas.yml index 7928fadd9e..5ec0aa9aba 100644 --- a/.github/workflows/fetch-oas.yml +++ b/.github/workflows/fetch-oas.yml @@ -51,7 +51,7 @@ jobs: run: docker compose down - name: Upload oas.${{ matrix.file-type }} as artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: oas-${{ matrix.file-type }} path: oas.${{ matrix.file-type }} diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 0b12d25a77..cd8d807237 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -45,14 +45,18 @@ jobs: # load docker images from build jobs - name: Load images from artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 + with: + path: built-docker-image + pattern: built-docker-image-* + merge-multiple: true - name: Load docker images timeout-minutes: 10 run: |- - docker load -i nginx/nginx-${{ matrix.os }}_img - docker load -i django/django-${{ matrix.os }}_img - docker load -i integration-tests/integration-tests-debian_img + docker load -i built-docker-image/nginx-${{ matrix.os }}_img + docker load -i built-docker-image/django-${{ matrix.os }}_img + docker load -i built-docker-image/integration-tests-debian_img docker images - name: Set integration-test mode diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml index 60f8bc3c38..a4feb77273 100644 --- a/.github/workflows/k8s-tests.yml +++ b/.github/workflows/k8s-tests.yml @@ -48,14 +48,18 @@ jobs: minikube status - name: Load images from artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 + with: + path: built-docker-image + pattern: built-docker-image-* + merge-multiple: true - name: Load docker images timeout-minutes: 10 run: |- eval $(minikube docker-env) - docker load -i nginx/nginx-${{ matrix.os }}_img - docker load -i django/django-${{ matrix.os }}_img + docker load -i built-docker-image/nginx-${{ matrix.os }}_img + docker load -i built-docker-image/django-${{ matrix.os }}_img docker images - name: Configure HELM repos diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index d05cb19142..2a4d7ef037 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Load OAS files from artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 - name: Upload Release Asset - OpenAPI Specification - YAML id: upload-release-asset-yaml diff --git a/.github/workflows/rest-framework-tests.yml b/.github/workflows/rest-framework-tests.yml index f153a368ba..bd8ca3322f 100644 --- a/.github/workflows/rest-framework-tests.yml +++ b/.github/workflows/rest-framework-tests.yml @@ -20,13 +20,17 @@ jobs: # load docker images from build jobs - name: Load images from artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 + with: + path: built-docker-image + pattern: built-docker-image-* + merge-multiple: true - name: Load docker images timeout-minutes: 10 run: |- - docker load -i nginx/nginx-${{ matrix.os }}_img - docker load -i django/django-${{ matrix.os }}_img + docker load -i built-docker-image/nginx-${{ matrix.os }}_img + docker load -i built-docker-image/django-${{ matrix.os }}_img docker images # run tests with docker compose From 28569c0fbc64a748f7ac3b7a822b75f9ad80f59b Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Tue, 12 Nov 2024 16:32:02 +0000 Subject: [PATCH 17/19] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 82cd7446c6..8959190ddf 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.41.0-dev", + "version": "2.40.1", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 8c5bb4603e..f912fa15f5 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.40.0" +__version__ = "2.40.1" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index b61326d1b8..b56712ee07 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.41.0-dev" +appVersion: "2.40.1" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.159-dev +version: 1.6.159 icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 30a9acac362c5c34e12a7817597a91d5d5733067 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Tue, 12 Nov 2024 17:08:20 +0000 Subject: [PATCH 18/19] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 8959190ddf..82cd7446c6 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.40.1", + "version": "2.41.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index f912fa15f5..be4cc157e1 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.40.1" +__version__ = "2.41.0-dev" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index b56712ee07..9d7a99e360 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.40.1" +appVersion: "2.41.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.159 +version: 1.6.160-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 46ef07536a79c8d46409db7a1096e3870ddb2e34 Mon Sep 17 00:00:00 2001 From: kiblik <5609770+kiblik@users.noreply.github.com> Date: Tue, 12 Nov 2024 18:59:45 +0100 Subject: [PATCH 19/19] Ruff: Add and fix S108 (#11192) --- dojo/decorators.py | 16 ---------------- ruff.toml | 3 ++- 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/dojo/decorators.py b/dojo/decorators.py index b6902b8dc1..8f356b0f62 100644 --- a/dojo/decorators.py +++ b/dojo/decorators.py @@ -144,22 +144,6 @@ def get_parameter_froms_args_kwargs(args, kwargs, parameter): return model_or_id -def on_exception_log_kwarg(func): - def wrapper(self, *args, **kwargs): - try: - return func(self, *args, **kwargs) - - except Exception: - logger.info(f"exception occured at url: {self.driver.current_url}") - logger.info(f"page source: {self.driver.page_source}") - f = open("/tmp/selenium_page_source.html", "w", encoding="utf-8") - f.writelines(self.driver.page_source) - # time.sleep(30) - raise - - return wrapper - - def dojo_ratelimit(key="ip", rate=None, method=UNSAFE, block=False): def decorator(fn): @wraps(fn) diff --git a/ruff.toml b/ruff.toml index 3a360f4989..f073ee71e5 100644 --- a/ruff.toml +++ b/ruff.toml @@ -41,7 +41,7 @@ select = [ "UP", "YTT", "ASYNC", - "S2", "S5", "S7", "S101", "S104", "S105", "S112", "S311", + "S2", "S5", "S7", "S101", "S104", "S105", "S108", "S112", "S311", "FBT001", "FBT003", "A003", "A004", "A006", "COM", @@ -102,6 +102,7 @@ preview = true [lint.per-file-ignores] "unittests/**" = [ "S105", # hardcoded passwords in tests are fine + "S108", # tmp paths mentioned in tests are fine ] [lint.flake8-boolean-trap]