Tejas Jaggi
Tejas Jaggi

Reputation: 115

Fixing Reflected XSS issue in Javascript. CheckMarx

I was trying to validate my code using CheckMarx but am stuck at a couple of vulnerabilities that I am unable to find a fix for. The following are the code lines where the vulnerabilities were raised.

window.location.href = url + "?"+"appPageId="+  
$rootScope.selectedContext.defaultAppPageId + "&hierarchyId="+ 
$rootScope.defaultHierarchyId

I tried to fix it with encoding as follows

var redirectUrl = url + "?"+"appPageId="+  
$rootScope.selectedContext.defaultAppPageId + "&hierarchyId="+ 
$rootScope.defaultHierarchyId
window.location.href = encodeURI(redirectUrl)

but I still get the same issue. Is there anyway of fixing this Client DOM Open Redirect Vulnerability?

Also, I'm getting a Reflected XSS issue for the following line

    res.send("The Context
    "+req.params.contextName+" has restricted access. Please request 
    access to this page");

possibly because I'm using res.send. I guess this will also be fixed along the same lines as the above issue.

Any help regarding the same would be greatly appreciated.

Upvotes: 5

Views: 10140

Answers (2)

securecodeninja
securecodeninja

Reputation: 2515

I believe Checkmarx sees the url variable first in the flow as arbitrary which is why it is seeing it as a Client DOM Open Redirect vulnerability. You can try prefixing the url with a hardcoded value if you don't need it to be arbitrary.

if(isNaN($rootScope.selectedContext.defaultAppPageId) || isNaN($rootScope.defaultHierarchyId)) {    
    return
} 
var redirectUrl = "https://stackoverflow.com?" + "appPageId=" +  
$rootScope.selectedContext.defaultAppPageId + "&hierarchyId="+ 
$rootScope.defaultHierarchyId
window.location.href = encodeURI(redirectUrl)

For the XSS vuln, it well could be considered as a false positive since Angular sanitizes and escapes untrusted values. However, you can't always trust the view engine to do its job so if you really wanted an explicit fix, you may want to use a html encode library (find a decent one, this is just an example):

var htmlencode = require('htmlencode');

res.send("The Context"+ htmlencode.htmlEncode(req.params.contextName) + " has restricted access. Please request access to this page");

Hope this helps!

Upvotes: 0

Andre
Andre

Reputation: 788

Make sure to sanitize any input you get from users, that includes taking any parameters from the request. You can find many sanitization modules or middle ware that will do this for you, just try a quick google search.

As for open redirect, if the url parameter is coming from a user, use Regex or something of the liking to parse the domain. It could even just be something as simple as making sure it starts with the right protocol and domain.

Upvotes: 1

Related Questions