Title: XSS_Injection Vulnerability on PUT:/api/v1/savings-account/savings-account
Project: Bismillah
Description:
Assertion
Name: XSS Injection ( 1 )
Overview: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Severity: Cross-Site Scripting is consistently ranked at top 1 in 2017 OWASP Top 10, 2013 OWASP Top 10 and is ranked at Top 8 in 2019 OWASP API Top 10. ( 2 )( 3 )( 4 ).
Vulnerability Impact: When successfully injected and executed, XSS attack can lead to following consequences ( 1 )
Capturing sensitive information viewed by application users
Hijacking another user’s browser session and takeover of the account
The disclosure of end user files and/or installation of Trojan horse programs
Pseudo defacement of the application
Port scanning of internal hosts (“internal” in relation to the users of the web application)
Data enters a Web application through an untrusted source, most frequently a web request.
The data is included in dynamic content that is sent to a web user without being validated for malicious content.
The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash, or any other type of code that the browser may execute
Remediation: With the following guidelines, XSS Injection attack can be prevented ( 5 ).
Never Insert Untrusted Data Except in Allowed Locations
HTML Escape Before Inserting Untrusted Data into HTML Element Content
Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
Title: XSS_Injection Vulnerability on PUT:/api/v1/savings-account/savings-account Project: Bismillah Description:
Assertion Name: XSS Injection ( 1 )
Overview: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Severity: Cross-Site Scripting is consistently ranked at top 1 in 2017 OWASP Top 10, 2013 OWASP Top 10 and is ranked at Top 8 in 2019 OWASP API Top 10. ( 2 )( 3 )( 4 ).
Vulnerability Impact: When successfully injected and executed, XSS attack can lead to following consequences ( 1 )
- Capturing sensitive information viewed by application users
- Hijacking another user’s browser session and takeover of the account
- The disclosure of end user files and/or installation of Trojan horse programs
- Pseudo defacement of the application
- Port scanning of internal hosts (“internal” in relation to the users of the web application)
Exploitation: Cross-Site Scripting (XSS) attacks occur when: ( 1 ).The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash, or any other type of code that the browser may execute
Remediation: With the following guidelines, XSS Injection attack can be prevented ( 5 ).
- Never Insert Untrusted Data Except in Allowed Locations
- HTML Escape Before Inserting Untrusted Data into HTML Element Content
- Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
- JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
- CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
- URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
References:Risk: XSS_Injection Severity: Medium API Endpoint: http://netbanking.apisec.ai:8080/api/v1/savings-account/savings-account Environment: Master_github Playbook: ApiV1SavingsAccountSavingsAccountPutBodyParamXssInjection Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Effort Estimate: 4.0 Hrs Wire Logs: 07:19:47 [D] [AVSASAPBPXInjection] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/savings-account/savings-account] 07:19:47 [D] [AVSASAPBPXInjection] : Method [PUT] 07:19:47 [D] [AVSASAPBPXInjection] : Authorization [Default] 07:19:47 [D] [AVSASAPBPXInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 07:19:47 [D] [AVSASAPBPXInjection] : Request [{ "accountBalance" : 1026463016, "accountNumber" : 1026463016, "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "", "version" : "" }, "version" : "" }] 07:19:47 [D] [AVSASAPBPXInjection] : Status code [200] 07:19:47 [D] [AVSASAPBPXInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=ZjY5MDZiMTQtODNhNC00OWVjLWFmMzAtN2M5YzY1ODA0Yzk4; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:19:46 GMT"]] 07:19:47 [D] [AVSASAPBPXInjection] : Response [{ "requestId" : "None", "requestTime" : "2022-05-26T07:19:47.242+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Unable to find com.fxlabs.issues.dao.entity.users.Users with id ; nested exception is javax.persistence.EntityNotFoundException: Unable to find com.fxlabs.issues.dao.entity.users.Users with id " } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 07:19:47 [D] [AVSASAPBPXInjection] : Response time [457] 07:19:47 [D] [AVSASAPBPXInjection] : Response size [367] 07:19:47 [E] [AVSASAPBPXInjection] : Assertion [@StatusCode != 200] resolved-to [200 != 200] result [Failed] 07:19:48 [D] [AVSASAPBPXInjection] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/savings-account/savings-account] 07:19:48 [D] [AVSASAPBPXInjection] : Method [PUT] 07:19:48 [D] [AVSASAPBPXInjection] : Authorization [Default] 07:19:48 [D] [AVSASAPBPXInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 07:19:48 [D] [AVSASAPBPXInjection] : Request [{ "accountBalance" : 453209689, "accountNumber" : 453209689, "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "