search

magneticstain / CLTools

An application that utilizes and analyzes CraigsList data to help find the perfect apartment.
MIT License
2 stars 2 forks source link

Perform Security Review of Code #14

Closed magneticstain closed 7 years ago

magneticstain commented 8 years ago

Once the release has been tested and is ready for release, developers should perform a final review of the code for any potential security issues.

This may include usage of external tools, both for black and white box analysis.

magneticstain commented 7 years ago

All CLData APIs display results using the json content-type, assuring results aren't parsed as code by browsers.

magneticstain commented 7 years ago

Basic listing stats are all performed through the function Statscream.updateListingStat. This function utilizes the $.text() jquery method to update the stat container text, utilizing the built-in special-character encoding that comes with it.

Statscream.updateListingStat = function(selector, apiUrl, returnDataType, returnFieldNum){
    /*
        Query Calc API for requested stat and update the dataSink with the results
     */

    var stat = '---';
    var statWrapper = selector;

    if(typeof returnFieldNum === 'undefined')
    {
        returnFieldNum = 0;
    }

    $.ajax({
        url: apiUrl,
        dataType: 'json',
        success: function(calcData){
            // check if API req was successful
            if(calcData.success)
            {
                // parse stat
                stat = DataTron.formatReturnData(returnDataType, calcData.result[0][returnFieldNum]);
            }

            // update view w/ results
            statWrapper.children('p').text(stat);
        },
        error: function(){
            var errorBot = new ErrorBot(2, 'Could not access Calc API');
            errorBot.displayError();
            errorBot.logErrorToConsole();
        }
    });
};
magneticstain commented 7 years ago

OWASP checklist completed.

https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet#The_Checklist

magneticstain commented 7 years ago

sqlmap testing to be performed on CLData API URLS:

Results coming soon.

magneticstain commented 7 years ago

OWASP ZAP scans show no vulns

magneticstain commented 7 years ago

sqlmap scan shows no vulns as well.

Security review complete.

magneticstain commented 7 years ago

Completed with commit https://github.com/magneticstain/CLTools/commit/66f84f6c8e3643a21dfbf5f1923fc7092822a327