4

I am using various 3rd party libs like cordova.js, jquery, jquery mobile, mobilizer and so on, in a an android mobile app.. These libs are found to have various XSS vectors through insecure use of eval, settimeout, inner/outerhtml and so on.

Is there any way by which I could cover/fix these security holes and still use these libs in my app, securely?

Ocelot
  • 1,733
  • 4
  • 29
  • 53
  • Are these genuine security holes or are they warnings about things you should check more closely from some kind of automated tool? – Quentin Mar 11 '13 at 11:25
  • @Quentin we ran the app through IBM Appscan and there were many high severity XSS issues shown, after false positives. – Ocelot Mar 11 '13 at 11:34
  • 1
    This sounds very much a like a case of "Just be sensible about where you place data you don't control" and not actual security holes. – Quentin Mar 11 '13 at 11:36
  • @ocelot are you sure the remaning ones are not false positives? AppScan is notoriously spammy with results, especially with default settings. – Vitaly Osipov Mar 13 '13 at 06:08

1 Answers1

0

These vulnerabilities should be reported to the vendor, and you should use their patch.

Exploiting DOM Based XSS and android is possible, however the attack vectors are more limited because usually an attacker cannot exploit one of these vulnerabilities using a simple GET or POST request.

rook
  • 66,304
  • 38
  • 162
  • 239