VulnerableApp icon indicating copy to clipboard operation
VulnerableApp copied to clipboard

Published 20 hours ago verified publisher icon SasanLabs

Handling of issues in the BackEnd Frameworks

Open preetkaran20 opened this issue 5 years ago • 0 comments
trafficstars

Is your feature request related to a problem? Please describe. I was implementing the path param based vulnerability but i found it quite complex and had to do some workarounds because of the way we generate URL from custom annotations. E.g

    @AttackVector(
            vulnerabilityExposed = VulnerabilitySubType.PERSISTENT_XSS,
            description = "PERSISTENT_XSS_HTML_TAG_URL_PARAM_DIRECTLY_INJECTED_IN_DIV_TAG")
    @VulnerableAppRequestMapping(
            value = LevelConstants.LEVEL_10,
            descriptionLabel = "PERSISTENT_XSS_HTML_TAG_URL_CONTAINING_COMMENT",
            htmlTemplate = "LEVEL_1/PersistentXSS",
            responseType = ResponseType.HTML_TAGS_ONLY,
            parameterName = PARAMETER_NAME,
            sampleValues = SAMPLE_VALUE)
    public ResponseEntity<String> getVulnerablePayloadLevelsome(
    		@PathVariable(value="comment") String parameterName) {
    	--- some default code
    }

The issues in the above code is it will never hit this endpoint if provided values are "/level_10/something" because there is no path param so had to introduce a workaround something like:

 @RequestMapping({LevelConstants.LEVEL_10 + "/{comment}", LevelConstants.LEVEL_10})
    @AttackVector(
            vulnerabilityExposed = VulnerabilitySubType.PERSISTENT_XSS,
            description = "PERSISTENT_XSS_HTML_TAG_URL_PARAM_DIRECTLY_INJECTED_IN_DIV_TAG")
    @VulnerableAppRequestMapping(
            value = LevelConstants.LEVEL_10,
            descriptionLabel = "PERSISTENT_XSS_HTML_TAG_URL_CONTAINING_COMMENT",
            htmlTemplate = "LEVEL_1/PersistentXSS",
            responseType = ResponseType.HTML_TAGS_ONLY,
            parameterName = PARAMETER_NAME,
            sampleValues = SAMPLE_VALUE)
    public ResponseEntity<String> getVulnerablePayloadLevelsome(
    		@PathVariable(value="comment", required = false) String parameterName) {
    		--- some default code
    }

In this extra request mapping has 2 patterns which are because of the way UI is designed to have the URL's formed using value parameter if the request mapping.

Describe the solution you'd like The first thought that comes in my mind is that this issue has happened because we have clubed single parameter to do multiple works like: Value parameter of VulnerableAppRequestMapping to be used for building URL's , used for generating UI level's and also building url's using the same in UI so i think easier way is to just have another parameter where you can mention url pattern which can have path param and it is similar to level e.g. /level_10/{comment} and value param will still hold and it will be pointed in UI to build the URL. we can also have one more parameter but that makes our annotations complex.

Describe alternatives you've considered Already mentioned above

preetkaran20 avatar Oct 15 '20 01:10 preetkaran20