Question

5
Replies
1028
Views
JonnyGar Member since 2009 91 posts
BNY Mellon
Posted: 5 years ago
Last activity: 4 years 6 months ago
Closed

Auditing XSS Vulnerabilities & Naked Parameters

The Rule Security Analyzer is a nice tool, but I do have a couple of basic comments on it:

  1. It's a bit of a misnomer as it's only for source-scripting in HTML/JS/CSS code. There's a lot of other things that ought to be done as part of a security check.
  2. Using a regexp checker would is handy for many things, such as scanning for deprecated JavaScript. Why not make this into an all-purpose validation checker which runs alongside the regular guardrails warnings check? After all, we'd like to catch these up front. (see FDBK-10568)

Basically XSS is showing looking for "naked parameters" -- where tools.getParamValue("foo") is used within stream processing.

The current guidance is to wrap the above in StringUtils.crossScriptingFilter(...) which escapes HTML characters.

Why not just redefine tools.getParamValue(), when invoked in a stream, to do this? And create a tools.getParamValueLiteral() function to work as traditionally? That would involve less code changes. Or visa-versa, define a tools.getParamValueSafe(). This would make the regexp checker easier.

- Jon

***Updated by moderator: Marissa to close post***

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Security
Moderation Team has archived post
Share this page LinkedIn