search

Custodela / iGoat-Swift

OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS
https://igoatapp.com/
GNU General Public License v3.0
0 stars 0 forks source link

CX Client_Remote_File_Inclusion @ igoat-swift/igoat-swift/resources/html/splash.html [master] #62

Open tsunez opened 3 years ago

tsunez commented 3 years ago

Client_Remote_File_Inclusion issue exists @ igoat-swift/igoat-swift/resources/html/splash.html in branch master

The application loads an external library or source code file using "https://platform.twitter.com/widgets.js", at line 16 of igoat-swift\igoat-swift\resources\html\splash.html. An attacker might be able to exploit this and cause the application to load arbitrary code. Note that the client application retrieves the external JavaScript library from a remote 3rd party server. It might be possible to exploit this trust model and cause the user's browser to load and execute arbitrary code.

Severity: Low

CWE:829

Vulnerability details and guidance

Checkmarx

Recommended Fix

Lines: 16 27

Code (Line #16):

    &nbsp;&nbsp;&nbsp;Swaroop Yermalkar <a href="https://twitter.com/swaroopsy?ref_src=twsrc%5Etfw" class="twitter-follow-button" data-show-count="false">Follow @swaroopsy</a><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

Code (Line #27):

    Get latest updates about project <a href="https://twitter.com/owaspigoat?ref_src=twsrc%5Etfw" class="twitter-follow-button" data-show-count="false">Follow @owaspigoat</a><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
tsunez commented 3 years ago

Issue still exists.

SUMMARY

Issue has 2 vulnerability/vulnerabilities left to be fixed (Please scroll to the top for more information)

tsunez commented 3 years ago

Issue still exists.

SUMMARY

Issue has 2 vulnerability/vulnerabilities left to be fixed (Please scroll to the top for more information)