Fixing Reflected XSS issue in Javascript. CheckMarx

Question

I was trying to validate my code using CheckMarx but am stuck at a couple of vulnerabilities that I am unable to find a fix for. The following are the code lines where the vulnerabilities were raised.

window.location.href = url + "?"+"appPageId="+  
$rootScope.selectedContext.defaultAppPageId + "&hierarchyId="+ 
$rootScope.defaultHierarchyId

I tried to fix it with encoding as follows

var redirectUrl = url + "?"+"appPageId="+  
$rootScope.selectedContext.defaultAppPageId + "&hierarchyId="+ 
$rootScope.defaultHierarchyId
window.location.href = encodeURI(redirectUrl)

but I still get the same issue. Is there anyway of fixing this Client DOM Open Redirect Vulnerability?

Also, I'm getting a Reflected XSS issue for the following line

    res.send("The Context
    "+req.params.contextName+" has restricted access. Please request 
    access to this page");

possibly because I'm using res.send. I guess this will also be fixed along the same lines as the above issue.

Any help regarding the same would be greatly appreciated.

score 1 · Answer 1 · answered Aug 29 '19 at 06:36

1

Make sure to sanitize any input you get from users, that includes taking any parameters from the request. You can find many sanitization modules or middle ware that will do this for you, just try a quick google search.

As for open redirect, if the url parameter is coming from a user, use Regex or something of the liking to parse the domain. It could even just be something as simple as making sure it starts with the right protocol and domain.

answered Aug 29 '19 at 06:36

Andre

778
1
5
23

Thanks for the response! I already do sanitise the input received from the user, However I read that there was also the need to escape the response before sending it to the user. I did try a simple regex check, but it still gives the same issue. – Tejas Jaggi Aug 29 '19 at 08:38

securecodeninja · Accepted Answer · 2019-09-08T05:27:43.880

0

I believe Checkmarx sees the url variable first in the flow as arbitrary which is why it is seeing it as a Client DOM Open Redirect vulnerability. You can try prefixing the url with a hardcoded value if you don't need it to be arbitrary.

if(isNaN($rootScope.selectedContext.defaultAppPageId) || isNaN($rootScope.defaultHierarchyId)) {    
    return
} 
var redirectUrl = "https://stackoverflow.com?" + "appPageId=" +  
$rootScope.selectedContext.defaultAppPageId + "&hierarchyId="+ 
$rootScope.defaultHierarchyId
window.location.href = encodeURI(redirectUrl)

For the XSS vuln, it well could be considered as a false positive since Angular sanitizes and escapes untrusted values. However, you can't always trust the view engine to do its job so if you really wanted an explicit fix, you may want to use a html encode library (find a decent one, this is just an example):

var htmlencode = require('htmlencode');

res.send("The Context"+ htmlencode.htmlEncode(req.params.contextName) + " has restricted access. Please request access to this page");

Hope this helps!

edited Sep 08 '19 at 05:27

answered Sep 01 '19 at 02:18

securecodeninja

2,497
3
16
22

Hey Roman, Thank you for this response! This foes sound promising. Will try it out and let you know if this worked for me. Thanks again! – Tejas Jaggi Sep 03 '19 at 19:15
Hey Roman, Thank you for all the suggestions. However, I was only able to fix the res.send XSS Vulnerability. I also tried the same approach for a res.render implementation. `res.render('index', { title: 'Express', session: encodeURI(req.session),minify:argv.minify!=undefined});` Still facing the same issue with window.location.href. Any other suggestions that you may have in mind? I am desperate to find a solution now. – Tejas Jaggi Sep 06 '19 at 13:52
are defaultAppPageId and defaultHierarchyId numeric? – securecodeninja Sep 08 '19 at 05:20
Yup. Both are numeric Values. – Tejas Jaggi Sep 09 '19 at 06:02
can you please try the new snippet above? – securecodeninja Sep 10 '19 at 02:17
Hi Roman, I've added the fix and sent it to the SCAVA Scan Team for running the test. Will let you know once they share the results. – Tejas Jaggi Sep 16 '19 at 02:57
Sorry, I had to drop this for a while. But, I'm back on it now. Unfortunately none of the suggestions seemed to serve the purpose. Do you have experience with HelmetJS? https://helmetjs.github.io/docs/xss-filter/ . It has something called an XSS Filter that I am thinking of exploring. – Tejas Jaggi Oct 30 '19 at 04:22

Fixing Reflected XSS issue in Javascript. CheckMarx

2 Answers2