Details
-
Feature Request
-
Resolution: Done
-
Major
-
1.0.0.M7, 1.0.0.M8
-
None
Description
Currently our demos allows code injection (XSS) by malicious web users, we need to sanitize the data to void this.
Examples:
curl -d "car.brand&car.color=javascript:alert('Geez')" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/cars
curl -d "car.brand&car.color=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/cars
curl -d "car.color&car.brand=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/cars
The worst scenario:
- Login
curl -d "aeroGearUser.password=prompt('Please enter your password','Geez')&aeroGearUser.id=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/login
curl -d "aeroGearUser.password=Abc123&aeroGearUser.id=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/login
We can do the same on registration and OTP login
- Registration
curl -d "aeroGearUser.password=Abc123&aeroGearUser.id=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/register
- OTP Login
curl -d "aeroGearUser.otp=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/otp