Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
CSRF/XSS vulnerability through separator injection #1781
Originally by @hesara
The communication protocol in Vaadin permits injection of message separators, making it possible to alter the state of other visible components (CSRF - cross site request forgery).
This can also enable XSS attacks by modifying the state of certain components.
An attack vector exploiting this would be convincing the user to paste text containing attacker written code (including special characters) to certain components in the application.
It is also possible to perform such injection through URI fragments in applications that use UriFragmentUtility.
This vulnerability was discovered by Wouter Coekaerts (http://wouter.coekaerts.be).