Open mayank2k2 opened 7 years ago
Vranda, we are doing security testing, kindly work on reported issues and do let me know the progress.
Hi Mayank, I am looking into this Thanks! Vranda
what is the status
Hi Mayank, I have done analysis on this and found that the HTML tags are being allowed in the system. Please suggest that we need to restrict the HTML tags according to the ticket request. Thanks! Vranda
definitely but how you will do ? and what tags will will cover.
Hi Mayank, We can enable XSS filter functionality in the application so as to remove all HTML tags to be entered for the entire application. Please suggest if this approach would be suitable moving forward in resolving the issue. Thanks! Vranda
While doing testing of the OWASP top 10 flaws on URL- http://www.uat.oxfordmaths.co.in ,the application was found to be certainly vulnerable to the following security issues, details of which can be seen below-
1). While visiting the student detail through any one of user role(OUPadmin , Admin , Teacher) or account some of the instances of Reflective XSS vulnerabilities were found and it is possible for an adversary to embed malicious script into that field and execute that. Please find below the field name, script used and screencast reference for POC purpose. Field name =First name Script used: Encoded in: \u003cscript\u003ealert\u00281\u0029\u003b\u003c\u002fscript\u003e Screencast for reference - https://www.screencast.com/t/PCKQ3Mii Steps to reproduce: a)Open application using OUPadmin,Admin,Teacher credentials b)Click on advance search c)Select school as OUP test school d)Click on search and it will display the entries for all student in the OUP test school e)Open a record of any student and enter the encoded script in the first name field f)Click on save button
2).While visiting the teacher detail through any one of user role(OUPadmin , Admin , Teacher) account some of the instances of Reflective XSS vulnerabilities were found and it is possible for an adversary to embed malicious script into that field and execute that.Please find below the field name,script used and screencast reference for POC purpose. Script used: Encoded in: \u003cscript\u003ealert\u00281\u0029\u003b\u003c\u002fscript\u003e Screencast for reference- https://www.screencast.com/t/YHqtH6jLAa
Steps to reproduce: a)Open application using OUPadmin,Admin,Teacher credentials b)Click on advance search c)Select school as OUP test school and select teacher d)Click on search and it will display the entries for all teacher in the OUP test school e)Open a record of any student and enter the encoded script in the first name field f)Click on save button
3). While visiting the Advance search option through any one of user role(OUPadmin , Admin , Teacher)or account if an adversary put a malicious script into any of the mentioned field then application becomes unresponsive which lead to it in infinite loop and it also displays the both student and teacher table header without any entry in the background which indicate towards business logic flaw. Please find below the field name,script used and screencast reference for POC purpose. Field name =School code , Username , First name , Middle name , Last name Script used: <script> Screencast for reference- https://www.screencast.com/t/lbyONXiO
Steps to reproduce: a)Open application using OUPadmin,Admin,Teacher credentials b)Click on advance search c)Select school as OUP test school d)Click on search