Penetration Testing Results - Some Issues



  • We recently had a pen test conducted against our application, and its ancillary components, and there were three moderate issues raised specifically for the jsreport server (v2.2.0). Please provide any input you can to help us mitigate these:

    Finding 1: Strict Transport Security Misconfiguration: There was no Strict-Transport-Security header in the server response. The HTTP Strict Transport Security policy defines a timeframe where a browser must connect to the web server via HTTPS.

    Is this configurable via the jsreport conf, or docker host?

    Finding 2: Auto-completed Password Fields: The password auto-complete feature allows users to have the browser automatically fill the password field with previously submitted values when a user begins entering the password. Unless specifically disabled, this feature is enabled by default.

    Can you confirm this was fixed in 2.4.0? If so, we will renew our subscription and update to the latest version

    Finding 3: DOM-Based Link Manipulation: DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way. DOM-based link manipulation arises when a script writes controllable data to a navigation target within the current page, such as a clickable link or the submission URL of a form.

    Problem line of code below is: form.action = window.location.pathname + window.location.search;

                var form = document.getElementById("loginForm"); 
                if (window.location.pathname.lastIndexOf("login", 0) === 0) { 
                    form.action = window.location.pathname + window.location.search; 
                } 
                else { 
                    if (window.location.search.indexOf("returnUrl") === -1) { 
                        form.action = "/login?returnUrl=" + 
    encodeURIComponent(window.location.pathname + window.location.hash + 
    window.location.search); 
                    } else { 
                        form.action = "/login" + window.location.search; 
    <SNIP>
    

    This looks to be squarely in your code, and I can't see any mention of a fix in the release notes for versions after v2.2.0. Can you please comment?



  • Finding 1: Strict Transport Security Misconfiguration

    We will check if it is safe to add that header and if it helps something.
    You should be able to add it on your own if you run a web server in front jsreport for now.

    Finding 2: Auto-completed Password Fields:

    This was fixed in jsreport 2.4.0

    Finding 3: DOM-Based Link Manipulation

    We will see what we can do with it.



  • Much appreciated Jan - I'll wait for a follow up!


Log in to reply
 

Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.