Penetration Testing Results - Some Issues



  • We recently had a pen test conducted against our application, and its ancillary components, and there were three moderate issues raised specifically for the jsreport server (v2.2.0). Please provide any input you can to help us mitigate these:

    Finding 1: Strict Transport Security Misconfiguration: There was no Strict-Transport-Security header in the server response. The HTTP Strict Transport Security policy defines a timeframe where a browser must connect to the web server via HTTPS.

    Is this configurable via the jsreport conf, or docker host?

    Finding 2: Auto-completed Password Fields: The password auto-complete feature allows users to have the browser automatically fill the password field with previously submitted values when a user begins entering the password. Unless specifically disabled, this feature is enabled by default.

    Can you confirm this was fixed in 2.4.0? If so, we will renew our subscription and update to the latest version

    Finding 3: DOM-Based Link Manipulation: DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way. DOM-based link manipulation arises when a script writes controllable data to a navigation target within the current page, such as a clickable link or the submission URL of a form.

    Problem line of code below is: form.action = window.location.pathname + window.location.search;

                var form = document.getElementById("loginForm"); 
                if (window.location.pathname.lastIndexOf("login", 0) === 0) { 
                    form.action = window.location.pathname + window.location.search; 
                } 
                else { 
                    if (window.location.search.indexOf("returnUrl") === -1) { 
                        form.action = "/login?returnUrl=" + 
    encodeURIComponent(window.location.pathname + window.location.hash + 
    window.location.search); 
                    } else { 
                        form.action = "/login" + window.location.search; 
    <SNIP>
    

    This looks to be squarely in your code, and I can't see any mention of a fix in the release notes for versions after v2.2.0. Can you please comment?



  • Finding 1: Strict Transport Security Misconfiguration

    We will check if it is safe to add that header and if it helps something.
    You should be able to add it on your own if you run a web server in front jsreport for now.

    Finding 2: Auto-completed Password Fields:

    This was fixed in jsreport 2.4.0

    Finding 3: DOM-Based Link Manipulation

    We will see what we can do with it.



  • Much appreciated Jan - I'll wait for a follow up!



  • Any news on the DOM-based link manipulation? This came up in a penn test for us as well.


  • administrators

    DOM-Based Link Manipulation: there is nothing we need to do here, the penetration test, in this case, reports a false positive, the vulnerability is described here, we are not vulnerable because we don't generate the dynamic form action value using user input, we use values from window.location which is immutable, and if some script changes it, it causes a page refresh. the vulnerability description also contains a section that mentions that there can be false positives, and this is what is happening for jsreport.

    from the vulnerability description page:

    Burp Suite automatically identifies this issue using static code analysis, which may lead to false positives that are not actually exploitable. The relevant code and execution paths should be reviewed to determine whether this vulnerability is indeed present, or whether mitigations are in place that would prevent exploitation.


  • administrators

    Strict Transport Security Misconfiguration: about this we are going to add a config that will allow to set general response headers for all requests, with that config user will be able to set Strict-Transport-Security header if user wants to enforce https at the jsreport level, although we recommend that such header is configured in nginx (when possible)



  • Thanks for the feedback Boris!


Log in to reply
 

Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.