testexchange's People
testexchange's Issues
Cross Site Scripting (Reflected)
Risk: informational
Details
- ID: 49d5597c-8872-41d5-9873-f1f4f9c07eea
Description
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.
There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.
References
http://projects.webappsec.org/Cross-Site-Scripting
http://cwe.mitre.org/data/definitions/79.html
Recommendation
Phase: Architecture and Design
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
Phases: Implementation; Architecture and Design
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.
Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.
Phase: Architecture and Design
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
Phase: Implementation
For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."
Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.
Affected Hosts
- Affected Hosts:
Horangi detected this issue on 2019-04-13 10:33:36.283723
Variables should be declared explicitly
Risk: critical
Description
JavaScript variable scope can be particularly difficult to understand and get
right. The situation gets even worse when you consider the accidental
creation of global variables, which is what happens when you declare a
variable inside a function or the for
clause of a for-loop without using the
let
, const
or var
keywords.
let
and const
were introduced in ECMAScript 2015, and are now the
preferred keywords for variable declaration.
Noncompliant Code Example
function f(){
i = 1; // Noncompliant; i is global
for (j = 0; j < array.length; j++) { // Noncompliant; j is global now too
// ...
}
}
Compliant Solution
function f(){
var i = 1;
for (let j = 0; j < array.length; j++) {
// ...
}
}
Recommendation
Add the "let", "const" or "var" keyword to this declaration of "solutionSetup" to make it explicit.
Code
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L18
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/db_helper.js#L35
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L31
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L36
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/test/files/expected.js#L1
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L10
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L131
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L27
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L64
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L78
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L79
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L81
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L82
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L83
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L85
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L87
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L89
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L93
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L98
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L99
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L100
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L103
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L112
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L113
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L135
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L136
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L137
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/scan_parser.js#L138
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/test/scan_parser_test.js#L13
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/test/scan_parser_test.js#L14
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/test/scan_parser_test.js#L15
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/test/scan_parser_test.js#L16
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/test/scan_parser_test.js#L18
Author: [email protected]
Link : https://github.com/ts33/nmap-app/blob/5741340b0c4f6e8abc6cfad6f79e9993a57a9e87/peacock/test/scan_parser_test.js#L20
Author: [email protected]
Horangi detected this issue on 2019-04-14 06:21:40.379682
Selectors should not be duplicated
Risk: medium
Description
Duplication of selectors might indicate a copy-paste mistake. The rule detects
the following kinds of duplications:
- within a list of selectors in a single rule set
- for duplicated selectors in different rule sets within a single stylesheet.
Noncompliant Code Example
.foo, .bar, .foo { ... } /* Noncompliant */
.class1 { ... }
.class1 { ... } /* Noncompliant */
Compliant Solution
.foo, .bar { ... }
.class1 { ... }
.class2 { ... }
Recommendation
Unexpected duplicate selector "html", first used at line 8
Code
Link : https://github.com/horangi-ir/horangi_com/blob/8715fe2e509dedc672cbfce47bb6c2533f1b7273/public_html.new/css/selectize.css#L333
Author: [email protected]
Link : https://github.com/horangi-ir/horangi_com/blob/8715fe2e509dedc672cbfce47bb6c2533f1b7273/public_html.new/css/selectize.css#L393
Author: [email protected]
Link : https://github.com/horangi-ir/horangi_com/blob/8715fe2e509dedc672cbfce47bb6c2533f1b7273/public_html.new/scss/main.scss#L1066
Author: [email protected]
Link : https://github.com/ts33/KeyValueServer/blob/cba7e787aba30375656235bfcf3d793cb92a7e6f/coverage/lcov-report/base.css#L159
Author: [email protected]
Horangi detected this issue on 2019-04-13 10:33:31.859826
AWS Config should be enabled
Risk: high
Description
It was discovered that AWS Config Service was not enabled and recording in this region
Implication
AWS Config keeps track of changes in the configurations made to selected critical AWS resources. These audit trails will be useful to compliance teams during a security audit. During incident response, these trails can be useful to investigators to understand the timeline and the order in which events happened.
Recommendation
It is recommended that AWS Config Service is enabled to monitor the configuration changes made for all regions.
Remediation Steps:
- Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.
- Click Get Started to continue.
- Under Resource types to record do the following:
i. In the All resources category, ensure the box Record all resources supported in this region is checked. - Under Amazon S3 bucket* choose an option that is most relevant for your setup. The default option will create a new bucket.
- Optional: Under Amazon SNS topic configure an SNS topic for notifications.
- Under AWS Config role* select the Use an existing AWS Config service-linked role option.
- Click Next to continue.
- Go through the list of AWS Config rules and select all the rules which are relevant.
- Click Next to continue.
- Review the changes and click Confirm.
AWS Config is now enabled.
Parameters
Account gid: 886561456280
Region: us-east-1
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: us-east-2
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: us-west-1
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: us-west-2
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: ca-central-1
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: eu-central-1
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: eu-west-1
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: eu-west-2
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: eu-west-3
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: ap-northeast-1
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: ap-northeast-2
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: ap-southeast-1
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: ap-southeast-2
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: ap-south-1
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Account gid: 886561456280
Region: sa-east-1
Resource type : Configuration Recorder
Resources
None
Related Resources
None
Horangi detected this issue on 2019-04-11 05:42:52.200051
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.