2

We are using HP fortify Audit Workbench 3.80 to assess vulnerabilities in our applications. Fortify marks the the following ExtJs JavaScript code as a Critical (the "worst") DOM XSS vulnerability:

function doAjaxCall(param1, param2, div) {
    var options = {
            url : url,
            params : {
                param1 : param1,
                param2 : param2
            },
            method: 'GET',
            success: function(response, options) {
                processResponse(response, div);
            },
            failure: function(response, options) {
                doSomethingElse();
            }
    };
    Ext.Ajax.request(options);
}


function processResponse(response, div) {
     // SECURITY ISSUE HERE
     document.getElementById(div).innerHTML = '<br>' +
            'An error occurred with status code ' 
             + response.status + 
             '<br><br>';  
}

response is the response returned from an AJAX request.

Fortify says :

method "processResponse" sends unvalidated data to a web browser on line 100, which can result in the browser executing malicious code.

I understand the issue and why it is an issue. What I do not know is how to sanitize the input with ESAPI. We are using ESAPI successfully for issues in our Java code, but I am not sure to resolve this specific issue in JavaScript.

I did find this JavaScript ESAPI library, ESAPI4JS, but I work in an extremely high security environment, and I do not have access to this library whatsoever.

How can I use ESAPI to sanitize the response?

EDIT

Added full ajax request code per user request.

Improve this question
4
  • @GeorgeStocker processResponse exists on the client side. It is javascript function containing the line of code I included in the question. Commented Jan 29, 2015 at 16:54
  • @GeorgeStocker It is just a wrapper function for the AJAX success callback. Commented Jan 29, 2015 at 17:06
  • You may want to include that in the code itself to give a clearer picture of what we're seeing. Commented Jan 29, 2015 at 17:15
  • @GeorgeStocker It truly is just a wrapper. I have added the code anyway. Commented Jan 29, 2015 at 18:08

2 Answers 2

Reset to default
0

Check the Snyk example at https://learn.snyk.io/lesson/dom-based-xss/ where they provide an example in the form of:

var ESAPI = require('node-esapi');
document.body.style.color =
  'url(<%=ESAPI.encoder().encodeForJS(ESAPI.encoder().encodeForURL(color))%>)';

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-2

Vulnerable:

document.write("Site is at: " + document.location + ".");

Not vulnerable: org.owasp.esapi.ESAPI.initialize(); document.write($ESAPI.encoder().encodeForHTML("Site is at: "+document.location));

You will need to initialize it before use. There is documentation on owasp's site.

@GeorgeStocker is wrong. A dom based xss typically is most dangerous because it cannot be handled server side. A perfect example would be the above which could easily be exploited by using a # before some code.

Also most client side xss filters can be bypassed by using onerror.

ey3

Improve this answer

3 Comments

I think that code is from ESAPI4JS, is it not? I do not have access to that library.
I didn't read that it was 'document.location'; that makes sense.
@JOsh If that Library has the right license (like MIT), you could potentially include the source in your app inline.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.