Monday, December 4, 2017

Veracode Reporting Vulnerabilities on GWT-generated nocache.js

We currently did the static security code scan using veracode.

The veracode report the following two very high priority issues with GWT generated <module>.nocache.js.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (http://cwe.mitre.org/data/definitions/80.html)
code: function f(a){if(a.match(/^\w+:\/\//)){}else{var b=m.createElement(ab);b.src=a+bb;a=e(b.src)}return a}

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') (http://cwe.mitre.org/data/definitions/601.html)
Code: var I;function J(){if(!I){I=true;var a=m.createElement(xb);a.src=yb;a.id=Q;a.style.cssText=zb;a.tabIndex=-1;m.body.appendChild(a);n&&n({moduleName:Q,sessionId:o,subSystem:R,evtGroup:X,millis:(new Date).getTime(),type:Ab});a.contentWindow.location.replace(s+L)}}

We need help to mitigate the above issues or any GWT resource which could help us with good explanation.


Thanks for your help!!

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment