VeraCode - 对 name() 的调用包含跨站点脚本 (XSS) 漏洞
VeraCode - This call to name() contains a cross-site scripting (XSS) flaw
谁能解释为什么 VeraCode 似乎认为使用 name 作为 public 属性 是个坏主意,并提出一个很好的缓解意见?
代码(JavaScript):
var BatchTask = (function () {
function BatchTask(batchOrTask, isBatch) {
if (isBatch) {
...
}
else {
var task = batchOrTask;
this.name = task.name; // flaw identified on this line
}
}
return BatchTask;
}());
缺陷:CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Attack Vector: name
Description: This call to name() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted
input, allowing an attacker to embed malicious content, such as
Javascript code, which will be executed in the context of the victim's
browser. XSS vulnerabilities are commonly exploited to steal or
manipulate cookies, modify presentation of content, and compromise
confidential information, with new attack vectors being discovered on
a regular basis.
在与 Veracode 协商后,他们确认这是一个假阴性,并且是他们将调查的引擎中的一个错误。
谁能解释为什么 VeraCode 似乎认为使用 name 作为 public 属性 是个坏主意,并提出一个很好的缓解意见?
代码(JavaScript):
var BatchTask = (function () {
function BatchTask(batchOrTask, isBatch) {
if (isBatch) {
...
}
else {
var task = batchOrTask;
this.name = task.name; // flaw identified on this line
}
}
return BatchTask;
}());
缺陷:CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Attack Vector: name
Description: This call to name() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.
在与 Veracode 协商后,他们确认这是一个假阴性,并且是他们将调查的引擎中的一个错误。