Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No detection of XSS vulnerabilities in JAX-RS methods #268

Closed
jacek99 opened this issue Jan 23, 2017 · 10 comments
Closed

No detection of XSS vulnerabilities in JAX-RS methods #268

jacek99 opened this issue Jan 23, 2017 · 10 comments
Assignees
@h3xstream
Labels
invalid question Questions on how to use FSB or about its capabilities.

Comments

@jacek99
Copy link

jacek99 commented Jan 23, 2017
edited by h3xstream

We are comparing SonarQube with Find Bugs (and the Find Security Bugs rules) against a commercial competitor.

The commercial competitor flags all typical JAX-RS REST methods with user input as potential XSS vulnerabilities, e,.g.:

@GET
@Path("/{id}")
public SomeEntity getOne(@Context RequestContext ctx, @PathParam("id") String id) {
 return dao.findExistingById(ctx, id);
}

with errors like

Method getOne() at line 51 of SomeEntityResource.java gets user input for the id element. 
This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method getOne() at line 51 of SomeEntityResource.java. This may enable a Cross-Site-Scripting Attack

None of the Find Security Bugs rules flagged any of the JAX-RS resources with similar vulnerabilities.

Should some JAX-RS specific rules be added?

P.S. ALL the rules classified as "vulnerabilities" have been activated in SonarQube and we are running with the quality profile of "Find Bugs Security Audit".
@h3xstream h3xstream added the question Questions on how to use FSB or about its capabilities. label Jan 23, 2017
@h3xstream
Copy link
Member

In which format is the entity returned by default?
I would expect a JSON or XML representation with the appropriate content-type..

@h3xstream h3xstream self-assigned this Jan 23, 2017
@jacek99
Copy link
Author

jacek99 commented Jan 23, 2017
edited

It returns it in JSON format by default.

@Produces("application/json; charset=utf-8")

@jacek99
Copy link
Author

jacek99 commented Jan 23, 2017

This is in Dropwizard, so it is using Jersey 2 for the JAX-RS and Jackson for all the JSON serialization/deserialization.

@h3xstream
Copy link
Member

Are you sure this is vulnerable to XSS?
I would expect the result to be safe because of the content-type. Unless there is browser specific content sniffing.

@jacek99
Copy link
Author

jacek99 commented Jan 24, 2017

Well, I am not honestly, as I am not an expert on the finer aspects of XSS.

So in your opinion this is a false positive?

@h3xstream
Copy link
Member

@jacek99 Yes it look like a false positive.
If a manually constructed string would have been return, the content-type would have been text/html or text/plain.

@h3xstream
Copy link
Member

h3xstream commented Jan 24, 2017
edited

Please do minimal testing and provide a POC next time.
Stack overflow would be a better place to ask this kind of general question when uncertain.

(No offense. Good luck with the triage!)

@jacek99
Copy link
Author

jacek99 commented Jan 24, 2017

Thank you for your time, much appreciated

@siva-subramani
Copy link

@jacek99 I am seeing similar issue with a commercial tool. Were you able to find the fix ?

@h3xstream
Copy link
Member

@siva-subramani This is a false positive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@h3xstream h3xstream

Labels
invalid question Questions on how to use FSB or about its capabilities.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jacek99 @h3xstream @siva-subramani