Closed LambaSwati closed 6 years ago
badvision
commented
7 years ago Ok, I can read a generated report just as well as you can, but can you demonstrate the flaw and confirm it? AEM provides a lot of XSS protection out of the box, so your scanner might not be taking that into account.
justinedelson
commented
7 years ago @LambaSwati any update on this?
stale[bot]
commented
6 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
We are using acs-aem-commons-3.9.0 bundle in our project. According to Veracode security scan Report run on our project,
Description This call contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.
Recommendations Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity escaping; if the data is being written to an attribute, use attribute escaping; etc. When a web framework provides builtin support for automatic XSS escaping, do not disable it. Both the OWASP Java Encoder library for Java and the Microsoft AntiXSS library provide contextual escaping methods. For more details on contextual escaping, see https://www.owasp.org/index.php/XSS_%%28Cross_Site_Scripting%%29_Prevention_Cheat_Sheet. In addition, as a best practice, always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. Instances found via Static Scan
Flaw Id Module # Class # Module Location Fix By 44 1 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../js/ajax.js 34 6/5/11 55 4 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../clientlibs/js/app.js 46 6/5/11 46 7 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../clientlibs/js/app.js 71 6/5/11 53 9 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../clientlibs/js/app.js 82 6/5/11 56 9 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../clientlibs/js/app.js 108 6/5/11 13 10 - JS files within /.../clientlibs/js/app.js 108 10/4/17 57 9 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../clientlibs/js/app.js 127 6/5/11 52 9 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../clientlibs/js/app.js 145 6/5/11 59 7 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../clientlibs/js/app.js 150 6/5/11 60 16 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../js/inject.js 28 6/5/11 54 18 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../notification.js 23 6/5/11 \49 20 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../notifications.js 58 6/5/11 48 23 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../js/packager.js 51 6/5/11 61 27 - JS files within acsaem-commonscontent-3.9.0.zip .../touchui-configure-parsysplaceholder.js 111