Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Done
Priority: Major
Fix Version/s: 1.0.0.M8
Affects Version/s: 1.0.0.M7, 1.0.0.M8
Component/s: controller , examples, security
Labels:
None

Git Pull Request:
https://github.com/aerogear/aerogear-security/pull/7

Description

Currently our demos allows code injection (XSS) by malicious web users, we need to sanitize the data to void this.

Examples:

curl -d "car.brand&car.color=javascript:alert('Geez')" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/cars

curl -d "car.brand&car.color=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/cars

curl -d "car.color&car.brand=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/cars

The worst scenario:

Login

curl -d "aeroGearUser.password=prompt('Please enter your password','Geez')&aeroGearUser.id=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/login

curl -d "aeroGearUser.password=Abc123&aeroGearUser.id=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/login

We can do the same on registration and OTP login

Registration

curl -d "aeroGearUser.password=Abc123&aeroGearUser.id=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/register

OTP Login

curl -d "aeroGearUser.otp=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/otp

Attachments

Activity

People

Assignee:: (inactive user) Bruno Oliveira Silva (Inactive)

Reporter:: (inactive user) Bruno Oliveira Silva (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2012/12/12 6:18 AM

Updated:: 2013/01/10 1:48 PM

Resolved:: 2013/01/10 1:48 PM