From 62321be3651eee3c52b1a271753b06288cca5dfd Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 7 Nov 2024 17:52:05 -0600 Subject: [PATCH 1/4] Burp Enterprise: Support newer format --- dojo/settings/.settings.dist.py.sha256sum | 2 +- dojo/settings/settings.dist.py | 2 + dojo/templatetags/display_tags.py | 7 +- dojo/tools/burp_enterprise/parser.py | 391 +++++++++++----------- 4 files changed, 210 insertions(+), 192 deletions(-) diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum index 259f13a4c69..2680eff16d6 100644 --- a/dojo/settings/.settings.dist.py.sha256sum +++ b/dojo/settings/.settings.dist.py.sha256sum @@ -1 +1 @@ -6b9365d002880ae64ab54da905ede076db5a8661960f8f1e2793b7f4d25ff7e8 +fa22f1252ee3a34e272f3715e1d21a429a1d43616c9448bbb007fb92e1fd5b57 diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 9920533272f..32021d25cc4 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1744,6 +1744,8 @@ def saml2_attrib_map_format(dict): "ELSA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html "ELBA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html "RXSA": "https://errata.rockylinux.org/", # e.g. https://errata.rockylinux.org/RXSA-2024:4928 + "CAPEC": "https://capec.mitre.org/data/definitions/&&.html", # e.g. https://capec.mitre.org/data/definitions/157.html + "CWE": "https://cwe.mitre.org/data/definitions/&&.html", # e.g. https://cwe.mitre.org/data/definitions/79.html } # List of acceptable file types that can be uploaded to a given object via arbitrary file upload FILE_UPLOAD_TYPES = env("DD_FILE_UPLOAD_TYPES") diff --git a/dojo/templatetags/display_tags.py b/dojo/templatetags/display_tags.py index 7b634febf63..3fa030d90a4 100644 --- a/dojo/templatetags/display_tags.py +++ b/dojo/templatetags/display_tags.py @@ -781,7 +781,12 @@ def vulnerability_url(vulnerability_id): for key in settings.VULNERABILITY_URLS: if vulnerability_id.upper().startswith(key): if "&&" in settings.VULNERABILITY_URLS[key]: - return settings.VULNERABILITY_URLS[key].split("&&")[0] + str(vulnerability_id) + settings.VULNERABILITY_URLS[key].split("&&")[1] + # Process specific keys specially if need + if key in ["CAPEC", "CWE"]: + vuln_id = str(vulnerability_id).replace(f"{key}-", "") + else: + vuln_id = str(vulnerability_id) + return f'{settings.VULNERABILITY_URLS[key].split("&&")[0]}{vuln_id}{settings.VULNERABILITY_URLS[key].split("&&")[1]}' return settings.VULNERABILITY_URLS[key] + str(vulnerability_id) return "" diff --git a/dojo/tools/burp_enterprise/parser.py b/dojo/tools/burp_enterprise/parser.py index aab8e565242..052d8a80f84 100644 --- a/dojo/tools/burp_enterprise/parser.py +++ b/dojo/tools/burp_enterprise/parser.py @@ -1,7 +1,7 @@ import logging import re -from lxml import etree +from lxml import etree, html from dojo.models import Endpoint, Finding @@ -9,6 +9,16 @@ class BurpEnterpriseParser: + vulnerability_list_xpath = ( + "/html/body/div/div[contains(@class, 'section details')]/div[contains(@class, 'issue-container')]" + ) + table_contents_xpath = "/html/body/div/div[contains(@class, 'section') and .//table[contains(@class, 'issue-table')]]" + description_headers = ["issue detail", "issue description"] + request_response_headers = ["request", "response"] + impact_headers = ["issue background", "issue remediation"] + mitigation_headers = ["remediation detail", "remediation background"] + references_headers = ["vulnerability classifications", "references"] + def get_scan_types(self): return ["Burp Enterprise Scan"] @@ -19,230 +29,231 @@ def get_description_for_scan_types(self, scan_type): return "Import Burp Enterprise Edition findings in HTML format" def get_findings(self, filename, test): - parser = etree.HTMLParser() - tree = etree.parse(filename, parser) + tree = html.parse(filename) if tree: return self.get_items(tree, test) return () - def get_content(self, container): + def _get_endpoints_title_severity_mapping(self, tree: etree.ElementTree) -> dict[str, str]: + """ + Construct a dict that contains mappings of endpoints and severities by a a title key. + + Example: { + "finding-title": { + "title": "finding-title", + "severity: "Medium", + "cwe": None, + "endpoints: [ + "http://127.0.0.1/path/A", + "http://127.0.0.1/path/B", + ], + } + } + """ + finding_mapping = {} + table_contents = tree.xpath(self.table_contents_xpath) + for table in table_contents: + # There is only one header in this div, so we will get a string back here + base_endpoint = table.xpath("h1")[0].text.replace("Issues found on ", "").removesuffix("/") + # Iterate over the table of endpoint paths and severities + title = None + for entry in table.xpath("table[contains(@class, 'issue-table')]/tbody/tr"): + # The etree.element with a class of "issue-type-row" is the title of the finding + if "issue-type-row" in entry.classes: + # The structure of this section is consistent + # ... [number-of-instances] + title = " ".join(entry.xpath("td")[0].text.strip().split(" ")[:-1]) + # Add the finding title as a new entry if needed + if title not in finding_mapping: + finding_mapping[title] = { + "title": title, + "severity": None, + "cwe": None, + "endpoints": [], + } + else: + # The structure of this section is consistent + # ... + # ... + # Quick check to determine if we need to move to the + path = entry.xpath("td")[0].text.strip() + severity = entry.xpath("td")[1].text.strip() + # Update the finding_mapping + finding_mapping[title]["endpoints"].append(f"{base_endpoint}/{path.removeprefix('/')}") + finding_mapping[title]["severity"] = severity + + return finding_mapping + + def _get_content(self, container: etree.Element): + # quick exit in case container is not found s = "" + if container is None or (isinstance(container, list) and len(list) == 0): + return s + # Do some extra processing as needed if ( container.tag == "div" and container.text is not None and not container.text.isspace() and len(container.text) > 0 ): - s += ( + s += re.sub(r"[ \t]+", " ", ( "".join(container.itertext()) .strip() .replace("Snip", "\n<-------------- Snip -------------->") .replace("\t", "") - ) + )) else: for elem in container.iterchildren(): if elem.text is not None and elem.text.strip() != "": + stripped_text = elem.text.strip() if elem.tag == "a": - s += ( - "(" - + elem.text - + ")[" - + elem.attrib["href"] - + "]" - + "\n" - ) + value = "[" + stripped_text + "](" + elem.attrib["href"] + ")" + "\n" elif elem.tag == "p": - s += elem.text + "\n" + value = elem.text_content().strip().replace("\n", "") + elif elem.tag == "b": + value = f"**{stripped_text}**" elif elem.tag == "li": - s += "* " - if elem.text is not None: - s += elem.text + "\n" - elif elem.text.isspace(): - s += list(elem.itertext())[0] + value = "- " + if stripped_text is not None: + value += stripped_text + "\n" + elif stripped_text.isspace(): + value = list(elem.itertext())[0] elif elem.tag == "div" or elem.tag == "span": - s += elem.text.strip() + "\n" + value = elem.text_content().strip().replace("\n", "") + "\n" else: continue + s += re.sub(r"\s+", " ", value) else: - s += self.get_content(elem) + s += self._get_content(elem) return s - # Get the endpoints and severities associated with each vulnerability - def pre_allocate_items(self, tree): - items = [] - endpoint_text = tree.xpath( - "/html/body/div/div[contains(@class, 'section')]/h1", - ) - severities = tree.xpath( - "/html/body/div/div[contains(@class, 'section')]/table[contains(@class, 'issue-table')]/tbody", - ) - endpoint_text = [ - endpoint - for endpoint in endpoint_text - if ("Issues found" in "".join(endpoint.itertext()).strip()) - ] - - for index in range(len(severities)): - url = endpoint_text[index].text[16:] - sev_table = list(severities[index].iter("tr")) - - title = "" - endpoint = "" - for item in sev_table: - item_list = list(item.iter("td")) - if len(item_list) == 1: - title_list = item_list[0].text.strip().split(" ") - title = " ".join(title_list[:-1]) - else: - endpoint = item_list[0].text.strip() - severity = item_list[1].text.strip() - vuln = {} - vuln["Severity"] = severity - vuln["Title"] = title - vuln["Description"] = "" - vuln["Impact"] = "" - vuln["Mitigation"] = "" - vuln["References"] = "" - vuln["CWE"] = "" - vuln["Response"] = "" - vuln["Request"] = "" - vuln["Endpoint"] = [url + endpoint] - vuln["URL"] = url - items.append(vuln) - return items - - def get_items(self, tree, test): - # Check that there is at least one vulnerability (the vulnerabilities - # table is absent when no vuln are found) - vulns = tree.xpath( - "/html/body/div/div[contains(@class, 'section details')]/div[contains(@class, 'issue-container')]", - ) - if len(vulns) == 0: - return [] - - dict_index = 0 - description = ["Issue detail:", "Issue description"] - reqrsp = ["Request", "Response"] - impact = ["Issue background", "Issue remediation"] - mitigation = ["Remediation detail:", "Remediation background"] - references = ["Vulnerability classifications", "References"] - vuln = None - merge = False - items = self.pre_allocate_items(tree) - for issue in vulns: - elems = list(issue.iterchildren()) - curr_vuln = items[dict_index] - if vuln is None or ( - curr_vuln["Title"] != vuln["Title"] - or curr_vuln["URL"] != vuln["URL"] - ): - vuln = curr_vuln - merge = False - else: - if curr_vuln["Endpoint"][0] not in vuln["Endpoint"]: - vuln_list = vuln["Endpoint"] - vuln_list.append(curr_vuln["Endpoint"][0]) - vuln["Endpoint"] = vuln_list - merge = True - - for index in range(3, len(elems), 2): - primary, secondary = ( - elems[index].text.strip(), - elems[index + 1], - ) - field = self.get_content(secondary) - webinfo = primary.split(":")[0] - details = "**" + primary + "**\n" + field + "\n\n" - # Description - if primary in description: - if merge: - if field != vuln["Description"].split("\n")[1]: - vuln["Description"] = ( - vuln["Description"] + field + "\n\n" - ) - else: - vuln["Description"] = vuln["Description"] + details - # Impact - if primary in impact and not merge: - vuln["Impact"] = vuln["Impact"] + details - # Mitigation - if primary in mitigation and not merge: - vuln["Mitigation"] = vuln["Mitigation"] + details - # References and CWE - if primary in references and not merge: - if len(vuln["CWE"]) < 1 and field.find("CWE") != -1: - vuln["CWE"] += str(self.get_cwe(field)) - vuln["References"] = vuln["References"] + details - # Request and Response pairs - if webinfo in reqrsp: - if webinfo == "Request": - vuln["Request"] = vuln["Request"] + field + "SPLITTER" + def _format_bulleted_lists(self, finding_details: dict, div_element: etree.ElementTree) -> tuple[str, list[str]]: + """Create a mapping of bulleted lists with links into a formatted list, as well as the raw values.""" + formatted_string = "" + content_list = [] + for a_tag in div_element.xpath("ul/li/a"): + content = re.sub(r"\s+", " ", a_tag.text.strip()) + link = a_tag.attrib["href"] + formatted_string += f"- [{content}]({link})\n" + content_list.append(content) + + return formatted_string, content_list + + def _set_or_append_content(self, finding_details: dict, header: str, div_element: etree.ElementTree) -> None: + """Determine whether we should set or append content in a given place.""" + header = header.replace(":", "") + field = None + # description + if header.lower() in self.description_headers: + field = "description" + content = self._get_content(div_element) + elif header.lower() in self.impact_headers: + field = "impact" + content = self._get_content(div_element) + elif header.lower() in self.mitigation_headers: + field = "mitigation" + content = self._get_content(div_element) + elif header.lower() in self.references_headers: + field = "references" + content, data_list = self._format_bulleted_lists(finding_details, div_element) + # process the vulnerability_ids if we have them + if header.lower() == "vulnerability classifications": + for item in data_list: + cleaned_item = item.split(":")[0] + if ( + finding_details["cwe"] is None + and (cwe_search := re.search("CWE-([0-9]*)", cleaned_item, re.IGNORECASE)) + ): + finding_details["cwe"] = int(cwe_search.group(1)) + if "vulnerability_ids" not in finding_details: + finding_details["vulnerability_ids"] = [cleaned_item] else: - vuln["Response"] = ( - vuln["Response"] + field + "SPLITTER" - ) - - dict_index += 1 - - return list(self.create_findings(items, test)) - - def get_cwe(self, vuln_references): - # Match only the first CWE! - vuln_references = vuln_references.split(":")[0] - cweSearch = re.search("CWE-([0-9]*)", vuln_references, re.IGNORECASE) - if cweSearch: - return cweSearch.group(1) - return 0 - - def create_findings(self, items, test): - # Dictonary to hold the aggregated findings with: - # - key: the concatenated aggregate keys - # - value: the finding - dupes = {} - for details in items: - if details.get("Description") == "": - continue - aggregateKeys = "{}{}{}{}".format( - details.get("Title"), - details.get("Description"), - details.get("CWE"), - details.get("Endpoint"), - ) - detail_cwe = None - if details.get("CWE"): - detail_cwe = int(details.get("CWE")) - find = Finding( - title=details.get("Title"), - description=details.get("Description"), + finding_details["vulnerability_ids"].append(cleaned_item) + elif header.lower() in self.request_response_headers: + field = "request_response" + content = self._get_content(div_element) + if header.lower() == "request": + if "requests" not in finding_details: + finding_details["requests"] = [content] + else: + finding_details["requests"].append(content) + if header.lower() == "response": + if "responses" not in finding_details: + finding_details["responses"] = [content] + else: + finding_details["responses"].append(content) + return + + else: + return + + formatted_content = f"**{header}**:\n{content}\n" + if (existing_field := finding_details.get(field)) is not None: + if header not in existing_field: + finding_details[field] += f"{formatted_content}\n---\n" + else: + finding_details[field] = f"{formatted_content}\n---\n" + + def _parse_elements_by_h3_element(self, issue: etree.Element, finding_details: dict) -> None: + for header_element in issue.xpath("h3"): + if (div_element := header_element.getnext()) is not None and div_element.tag == "div": + # Determine where to put the content + self._set_or_append_content(finding_details, header_element.text.strip(), div_element) + + def get_items(self, tree: etree.ElementTree, test): + finding_details = self._get_endpoints_title_severity_mapping(tree) + for issue in tree.xpath(self.vulnerability_list_xpath): + # Get the title of the current finding + title = issue.xpath("h2")[0].text.strip() + # Fetch the bodies of the issues and process them + self._parse_elements_by_h3_element(issue, finding_details[title]) + # Accommodate a newer format where request/response pairs in a separate div + for request_response_div in issue.xpath("div[contains(@class, 'evidence-container')]"): + # Fetch the bodies of the issues and process them + self._parse_elements_by_h3_element(request_response_div, finding_details[title]) + # Merge the requests and response into a single dict + requests = finding_details[title].pop("requests", []) + responses = finding_details[title].pop("responses", []) + finding_details[title]["request_response_pairs"] = [ + { + "request": requests[i] if i < len(requests) else None, + "response": responses[i] if i < len(responses) else None, + } + for i in range(max(len(requests), len(responses))) + ] + + return list(self.create_findings(finding_details, test)) + + def create_findings(self, findings_dict: dict[str, dict], test): + # Pop off a few items to be processes after the finding is saved + findings = [] + for finding_dict in findings_dict.values(): + endpoints = finding_dict.pop("endpoints", []) + request_response_pairs = finding_dict.pop("request_response_pairs", []) + vulnerability_ids = finding_dict.pop("vulnerability_ids", []) + # Crete the finding from the rest of the dict + finding = Finding( test=test, - severity=details.get("Severity"), - mitigation=details.get("Mitigation"), - references=details.get("References"), - impact=details.get("Impact"), - cwe=detail_cwe, false_p=False, duplicate=False, out_of_scope=False, mitigated=None, static_finding=False, dynamic_finding=True, - nb_occurences=1, + **finding_dict, ) + # Add the unsaved versions of the other things + # Endpoints + finding.unsaved_endpoints = [Endpoint.from_uri(endpoint) for endpoint in endpoints] + # Request Response Pairs - if len(details.get("Request")) > 0: - requests = details.get("Request").split("SPLITTER")[:-1] - responses = details.get("Response").split("SPLITTER")[:-1] - unsaved_req_resp = [] - for index in range(len(requests)): - unsaved_req_resp.append( - {"req": requests[index], "resp": responses[index]}, - ) - find.unsaved_req_resp = unsaved_req_resp - - find.unsaved_endpoints = [] - dupes[aggregateKeys] = find - - for url in details.get("Endpoint"): - find.unsaved_endpoints.append(Endpoint.from_uri(url)) + finding.unsaved_req_resp = [ + {"req": request_response.get("request"), "resp": request_response.get("response")} + for request_response in request_response_pairs + ] + # Vulnerability IDs + finding.unsaved_vulnerability_ids = vulnerability_ids + # Add the finding to the final list + findings.append(finding) - return list(dupes.values()) + return findings From 4431ac4a21b7986b2b255942ad5daa5f5406a5d4 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 7 Nov 2024 17:55:47 -0600 Subject: [PATCH 2/4] Forgot partially updated test --- .../tools/test_burp_enterprise_parser.py | 39 +++++++++++++++---- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/unittests/tools/test_burp_enterprise_parser.py b/unittests/tools/test_burp_enterprise_parser.py index 0d28dfe26f7..b6714fc209f 100644 --- a/unittests/tools/test_burp_enterprise_parser.py +++ b/unittests/tools/test_burp_enterprise_parser.py @@ -22,13 +22,9 @@ def test_burp_enterprise_with_multiple_vulns(self): self.assertTrue(finding.dynamic_finding) self.assertEqual(942, finding.cwe) self.assertEqual("Cross-origin resource sharing: arbitrary origin trusted", finding.title) - description = """**Issue detail:** -The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.The application allowed access from the requested origin https://llqvfwgbsdau.com - -""" - self.assertEqual(description, finding.description) + self.assertIn("**Issue detail**:\nThe application implements an HTML5 cross-origin resource sharing (CORS) policy", finding.description) self.assertIn("An HTML5 cross-origin resource sharing (CORS) policy controls", finding.impact) - self.assertIn("(Web Security Academy: Cross-origin resource sharing (CORS))[https://portswigger.net/web-security/cors]", finding.references) + self.assertIn("[Web Security Academy: Cross-origin resource sharing (CORS)](https://portswigger.net/web-security/cors)", finding.references) self.assertEqual(1, len(finding.unsaved_endpoints)) self.assertEqual("example.com", finding.unsaved_endpoints[0].host) @@ -38,4 +34,33 @@ def test_burp_enterprise_with_multiple_vulns(self): self.assertTrue(finding.dynamic_finding) self.assertIsNone(finding.cwe) self.assertEqual("WAF Detected: redacted", finding.title) - self.assertIn("WAF tech. details : Cloud-based CDN, WAF & DDoS prevention", finding.description) + self.assertIn("Fingerprint Details:\n \n WAF Type : redacted\n WAF tech. details : Cloud-based CDN, WAF & DDoS prevention", finding.description) + + # def test_burp_enterprise_with_multiple_vulns_newer_format(self): + # with open(path.join(path.dirname(__file__), "../scans/burp_enterprise/many_vulns_updated_format.html"), encoding="utf-8") as test_file: + # parser = BurpEnterpriseParser() + # findings = parser.get_findings(test_file, Test()) + # for finding in findings: + # for endpoint in finding.unsaved_endpoints: + # endpoint.clean() + # self.assertEqual(12, len(findings)) + + # with self.subTest(i=0): + # finding = findings[0] + # self.assertEqual("Low", finding.severity) + # self.assertTrue(finding.dynamic_finding) + # self.assertEqual(523, finding.cwe) + # self.assertEqual("Strict transport security not enforced", finding.title) + # self.assertIn("**Issue description**:\nThe application fails to prevent users from connecting to it over unencrypted connections.", finding.description) + # self.assertIn("**Issue remediation**:\nThe application should instruct web browsers to only access the application using HTTPS.", finding.impact) + # self.assertIn("- [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security)", finding.references) + # self.assertEqual(7, len(finding.unsaved_endpoints)) + # self.assertEqual("instance.example.com", finding.unsaved_endpoints[0].host) + + # with self.subTest(i=5): + # finding = findings[5] + # self.assertEqual("Info", finding.severity) + # self.assertTrue(finding.dynamic_finding) + # self.assertEqual(116, finding.cwe) + # self.assertEqual("Content security policy: allows form hijacking", finding.title) + # self.assertIn("**Issue detail**:\nThe content security policy doesn't prevent form hijacking", finding.description) From 2dbc1d53a029fccc78a7381ea91386c8f80e561a Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 7 Nov 2024 18:51:39 -0600 Subject: [PATCH 3/4] Add other tests --- .../many_vulns_updated_format.html | 7391 +++++++++++++++++ .../tools/test_burp_enterprise_parser.py | 52 +- 2 files changed, 7417 insertions(+), 26 deletions(-) create mode 100644 unittests/scans/burp_enterprise/many_vulns_updated_format.html diff --git a/unittests/scans/burp_enterprise/many_vulns_updated_format.html b/unittests/scans/burp_enterprise/many_vulns_updated_format.html new file mode 100644 index 00000000000..614ac1413bf --- /dev/null +++ b/unittests/scans/burp_enterprise/many_vulns_updated_format.html @@ -0,0 +1,7391 @@ + + + + Scan Remediation Report #150 + + + + + + +
+
+ +
+
+

Scan Remediation

+

Report

+
+ +
+ +
+ Generated by Burp Suite Enterprise Edition | 2024-11-06 12:41 PM +
+ +
+ + + + + + + +
+
Site name:
+
m
+
Scanned:
+ + + + + + + + + + + +
+
Start:
+ 		+
2024-11-05 4:59 PM
+
+
End:
+ 		+
2024-11-05 5:13 PM
+
+
Duration:
+
13m 53s
+
Status:
+
Completed
+ 		+
Start URLs:
+
https://instance.example.com/fe/m3/m-login
+ +
In-scope URL prefixes:
+
https://instance.example.com/fe/m3/
+
https://instance.example.com/m/v3/
+ +
Application logins:
+
DEMOMX m login only (no clerk)
+ +
Reference:
+ +
+ #150 +
+
+
+ +
+ + + + + + + +
+

Issues by severity

+ + + + + + + + + + + + + + + + + + + + + + + +
High:0
Medium:0
Low:11
Information:44
Total issues found:55
+ 		+

Scan statistics

+ + + + + + + + + + + + + + + + + + + + + + + +
Discovered URLs:44
Audited URLs without errors:9
Audited URLs with errors:1
Requests made:12354
Network errors:28
+
+
+ +
+ +
+

Issues found on https://instance.example.com

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URLs By issue typeSeverityConfidenceMore detail
Strict transport security not enforced [7]
+ /fe/m3/m-login + LowCertain>>
+ /m/v3/actions/action-log + LowCertain>>
+ /m/v3/actions/event-log + LowCertain>>
+ /m/v3/actions/login-m-by-name + LowCertain>>
+ /m/v3/actions/request-m-password-reset + LowCertain>>
+ /m/v3/translations + LowCertain>>
+ /m/v3/translations/locales + LowCertain>>
Open redirection (DOM-based) [4]
+ /fe/m3/m-login + LowTentative>>
+ /fe/m3/m-login + LowTentative>>
+ /fe/m3/m-login + LowTentative>>
+ /fe/m3/m-login + LowTentative>>
TLS certificate [1]
+ / + InfoCertain>>
Content security policy: allows untrusted script execution [7]
+ /fe/m3/m-login + InfoCertain>>
+ /m/v3/actions/action-log + InfoCertain>>
+ /m/v3/actions/event-log + InfoCertain>>
+ /m/v3/actions/login-m-by-name + InfoCertain>>
+ /m/v3/actions/request-m-password-reset + InfoCertain>>
+ /m/v3/translations + InfoCertain>>
+ /m/v3/translations/locales + InfoCertain>>
Content security policy: allows untrusted style execution [7]
+ /fe/m3/m-login + InfoCertain>>
+ /m/v3/actions/action-log + InfoCertain>>
+ /m/v3/actions/event-log + InfoCertain>>
+ /m/v3/actions/login-m-by-name + InfoCertain>>
+ /m/v3/actions/request-m-password-reset + InfoCertain>>
+ /m/v3/translations + InfoCertain>>
+ /m/v3/translations/locales + InfoCertain>>
Content security policy: allows form hijacking [7]
+ /fe/m3/m-login + InfoCertain>>
+ /m/v3/actions/action-log + InfoCertain>>
+ /m/v3/actions/event-log + InfoCertain>>
+ /m/v3/actions/login-m-by-name + InfoCertain>>
+ /m/v3/actions/request-m-password-reset + InfoCertain>>
+ /m/v3/translations + InfoCertain>>
+ /m/v3/translations/locales + InfoCertain>>
Cross-origin resource sharing [6]
+ /m/v3/actions/action-log + InfoCertain>>
+ /m/v3/actions/event-log + InfoCertain>>
+ /m/v3/actions/login-m-by-name + InfoCertain>>
+ /m/v3/actions/request-m-password-reset + InfoCertain>>
+ /m/v3/translations + InfoCertain>>
+ /m/v3/translations/locales + InfoCertain>>
Cross-origin resource sharing: arbitrary origin trusted [6]
+ /m/v3/actions/action-log + InfoCertain>>
+ /m/v3/actions/event-log + InfoCertain>>
+ /m/v3/actions/login-m-by-name + InfoCertain>>
+ /m/v3/actions/request-m-password-reset + InfoCertain>>
+ /m/v3/translations + InfoCertain>>
+ /m/v3/translations/locales + InfoCertain>>
Robots.txt file [1]
+ /robots.txt + InfoCertain>>
Cacheable HTTPS response [1]
+ /fe/m3/m-login + InfoCertain>>
DOM data manipulation (DOM-based) [6]
+ /fe/m3/m-login + InfoFirm>>
+ /fe/m3/m-login + InfoFirm>>
+ /fe/m3/m-login + InfoFirm>>
+ /fe/m3/m-login + InfoFirm>>
+ /fe/m3/m-login + InfoFirm>>
+ /fe/m3/m-login + InfoFirm>>
+
+
+ +
+

Issues found on http://instance.example.com

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URLs By issue typeSeverityConfidenceMore detail
Input returned in response (reflected) [2]
+ /fe/m3/m-login + InfoCertain>>
+ /fe/m3/m-login + InfoCertain>>
+
+ +
+ +
+

More details for https://instance.example.com

+
+ +
+
+ +

Strict transport security not enforced

+ /fe/m3/m-login + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/action-log + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 118 + + {"name":"mLoginAttempt","category":"mConsolefe","data":{"deviceType":"Desktop","mName":""}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/event-log + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730843990,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:50 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/login-m-by-name + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/actions/request-m-password-reset + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/translations + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Strict transport security not enforced

+ /m/v3/translations/locales + +

+ Issue description: +

+
+

The application fails to prevent users from connecting to it over unencrypted connections. An + attacker able to modify a legitimate user's network traffic could bypass the application's use + of SSL/TLS encryption, and use the application as a platform for attacks against its users. This + attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link + to the site from an HTTP page, their browser never attempts to use an encrypted connection. The + sslstrip tool automates this process.

+

+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify + the victim's network traffic.This scenario typically occurs when a client communicates with the + server over an insecure connection such as public Wi-Fi, or a corporate or home network that is + shared with a compromised computer. Common defenses such as switched networks are not sufficient + to prevent this. An attacker situated in the user's ISP or the application's hosting + infrastructure could also perform this attack. Note that an advanced adversary could potentially + target any connection made over the Internet's core infrastructure.

+
+ +

+ Issue remediation: +

+
+

The application should instruct web browsers to only access the application using HTTPS. To do + this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name + 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in + seconds that browsers should remember that the site should only be accessed using HTTPS. + Consider adding the 'includeSubDomains' flag if appropriate.

+

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never + accessed the application will never have seen the HSTS header, and will therefore still be + vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' + flag to the HSTS header, and submit the domain for review by browser vendors.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.href and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.href and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    + 
    https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'"/iepuap2p8w/><iepuap2p8w/\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'"/iepuap2p8w/><iepuap2p8w/\>fwqsx8nplw&
    +
    • + +
  • +

    The previous value reached the sink:

    + 
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Cannot read properties of null (reading 'once')","name":"TypeError","constructor_name":"TypeError","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&","query_string":"?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&","user_ip":"$remote_ip"},"client":{"runtime_ms":53,"timestamp":1730843997,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"TypeError","message":"Cannot read properties of null (reading 'once')","description":"Uncaught TypeError: Cannot read properties of null (reading 'once')"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202367,"method":"[anonymous]","colno":10},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202406,"method":"InfoReceiver.doXhr","colno":11}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"}]},"context":""}}
    +
    • + +
  • +

    The stack trace at source was:

    + 
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
+at get href (<anonymous>:1:249544)
+at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
+at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
+at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
+at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
+at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)
+at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)
+at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)
    +
    • + +
  • +

    The stack trace at the sink was:

    + 
    at Object.XMhUr (<anonymous>:1:544502)
+at _0x13dcf0 (<anonymous>:1:558761)
+at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
+at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
+at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
+at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
+at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
+at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
+at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
    • + +
+
+
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.search and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    + 
    ?kpiqhi5l29=kpiqhi5l29%27%22`'"/kpiqhi5l29/><kpiqhi5l29/\>ba6kcvqqrk&
    +
    • + +
  • +

    The previous value reached the sink:

    + 
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Cannot read properties of null (reading 'once')","name":"TypeError","constructor_name":"TypeError","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&","query_string":"?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&","user_ip":"$remote_ip"},"client":{"runtime_ms":53,"timestamp":1730843997,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"TypeError","message":"Cannot read properties of null (reading 'once')","description":"Uncaught TypeError: Cannot read properties of null (reading 'once')"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202367,"method":"[anonymous]","colno":10},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202406,"method":"InfoReceiver.doXhr","colno":11}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"}]},"context":""}}
    +
    • + +
  • +

    The stack trace at source was:

    + 
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
+at get search (<anonymous>:1:248279)
+at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
+at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
+at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
+at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
+at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)
+at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)
+at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)
    +
    • + +
  • +

    The stack trace at the sink was:

    + 
    at Object.XMhUr (<anonymous>:1:544502)
+at _0x13dcf0 (<anonymous>:1:558761)
+at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
+at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
+at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
+at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
+at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
+at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
+at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
    • + +
+
+
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.href and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.href and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    + 
    https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'"/bih4qyzpvt/><bih4qyzpvt/\>sbxdhx44wf&#bih4qyzpvt=bih4qyzpvt%27%22`'"/bih4qyzpvt/><bih4qyzpvt/\>sbxdhx44wf&
    +
    • + +
  • +

    The previous value reached the sink:

    + 
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Request failed with status code 500","name":"Error","constructor_name":"Error","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&#bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&","query_string":"?esux3absmq=esux3absmq%27%22`'\"/esux3absmq/><esux3absmq/\\>z0k5afa1h6&","user_ip":"$remote_ip"},"client":{"runtime_ms":497,"timestamp":1730843998,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"Error","message":"Request failed with status code 500","description":"Request failed with status code 500"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":50688,"method":"XMLHttpRequest.onloadend","colno":7},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51664,"method":"settle","colno":12},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51368,"method":"createError","colno":15}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.href"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get href (<anonymous>:1:249544)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.search"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get search (<anonymous>:1:248279)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997220,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997179","status_code":0,"start_time_ms":1730843997180,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997221","status_code":0,"start_time_ms":1730843997221,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"info","type":"network","timestamp_ms":1730843997482,"body":{"method":"POST","url":"https://api.rollbar.com:443/api/1/item/","status_code":200,"start_time_ms":1730843997213,"end_time_ms":1730843997482,"request_content_type":"application/json","subtype":"xhr","response_content_type":"application/json; charset=utf-8"},"source":"client"},{"level":"error","type":"error","timestamp_ms":1730843997563,"body":{"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"},"source":"client","uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9"}]},"context":""}}
    +
    • + +
  • +

    The stack trace at source was:

    + 
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
+at get href (<anonymous>:1:249544)
+at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
+at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
+at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
+at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
+at m.handleUnhandledRejection (https://instance.example.com/fe/js/cv-script.js:201791:19920)
+at n (https://instance.example.com/fe/js/cv-script.js:201791:36330)
    +
    • + +
  • +

    The stack trace at the sink was:

    + 
    at Object.XMhUr (<anonymous>:1:544502)
+at _0x13dcf0 (<anonymous>:1:558761)
+at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
+at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
+at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
+at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
+at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
+at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
+at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
    • + +
+
+
+
+
+ +

Open redirection (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based open redirection. Data is read from + location.search and passed to xhr.send. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+ +

DOM-based open redirection arises when a script writes controllable data into the target of a + redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a + URL that, if visited by another application user, will cause a redirection to an arbitrary + external domain. This behavior can be leveraged to facilitate phishing attacks against users of + the application. The ability to use an authentic application URL, targeting the correct domain + and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack + because many users, even if they verify these features, will not notice the subsequent + redirection to a different domain.

+

Note: If an attacker is able to control the start of the string that is passed to the + redirection API, then it may be possible to escalate this vulnerability into a JavaScript + injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary + script code when the URL is processed by the browser.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically + set redirection targets using data that originated from any untrusted source. If the desired + functionality of the application means that this behavior is unavoidable, then defenses must be + implemented within the client-side code to prevent malicious data from introducing an arbitrary + URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that + are permitted redirection targets, and strictly validating the target against this list before + performing the redirection.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to xhr.send. +

+
    +
  • +

    The following value was injected into the source:

    + 
    ?esux3absmq=esux3absmq%27%22`'"/esux3absmq/><esux3absmq/\>z0k5afa1h6&
    +
    • + +
  • +

    The previous value reached the sink:

    + 
    {"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Request failed with status code 500","name":"Error","constructor_name":"Error","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&#bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/><bih4qyzpvt/\\>sbxdhx44wf&","query_string":"?esux3absmq=esux3absmq%27%22`'\"/esux3absmq/><esux3absmq/\\>z0k5afa1h6&","user_ip":"$remote_ip"},"client":{"runtime_ms":497,"timestamp":1730843998,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"Error","message":"Request failed with status code 500","description":"Request failed with status code 500"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":50688,"method":"XMLHttpRequest.onloadend","colno":7},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51664,"method":"settle","colno":12},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51368,"method":"createError","colno":15}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/><iepuap2p8w/\\>fwqsx8nplw&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.href"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get href (<anonymous>:1:249544)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42576)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/><kpiqhi5l29/\\>ba6kcvqqrk&"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.search"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)\n    at get search (<anonymous>:1:248279)\n    at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (<anonymous>:1:544502)\n    at _0x13dcf0 (<anonymous>:1:558761)\n    at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/><iepuap2p8w/\\\\>fwqsx8nplw&\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/><kpiqhi5l29/\\\\>ba6kcvqqrk&\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997220,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997179","status_code":0,"start_time_ms":1730843997180,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997221","status_code":0,"start_time_ms":1730843997221,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"info","type":"network","timestamp_ms":1730843997482,"body":{"method":"POST","url":"https://api.rollbar.com:443/api/1/item/","status_code":200,"start_time_ms":1730843997213,"end_time_ms":1730843997482,"request_content_type":"application/json","subtype":"xhr","response_content_type":"application/json; charset=utf-8"},"source":"client"},{"level":"error","type":"error","timestamp_ms":1730843997563,"body":{"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"},"source":"client","uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9"}]},"context":""}}
    +
    • + +
  • +

    The stack trace at source was:

    + 
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
+at get search (<anonymous>:1:248279)
+at Array.<anonymous> (https://instance.example.com/fe/js/cv-script.js:201791:42607)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
+at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
+at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
+at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
+at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
+at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
+at m.handleUnhandledRejection (https://instance.example.com/fe/js/cv-script.js:201791:19920)
+at n (https://instance.example.com/fe/js/cv-script.js:201791:36330)
    +
    • + +
  • +

    The stack trace at the sink was:

    + 
    at Object.XMhUr (<anonymous>:1:544502)
+at _0x13dcf0 (<anonymous>:1:558761)
+at _0xdc6a5f.<computed>._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.<computed> (<anonymous>:1:458938)
+at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
+at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
+at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
+at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
+at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
+at https://instance.example.com/fe/js/cv-script.js:201791:32574
    +
    • + +
+
+
+
+
+ +
+
+
+ +

TLS certificate

+ / + +

Issue detail:

+
+ The server presented a valid, trusted TLS certificate. This issue is purely + informational.

The server presented the following certificates:

+

Server certificate

+ + + + + + + + + + + + + + + + + +
Issued to:  *.sandbox.example.com
Issued by:  Amazon RSA 2048 M02
Valid from:  Wed Feb 28 00:00:00 UTC 2024
Valid to:  Sat Mar 29 23:59:59 UTC 2025
+

Certificate chain #1

+ + + + + + + + + + + + + + + + + +
Issued to:  Amazon RSA 2048 M02
Issued by:  Amazon Root CA 1
Valid from:  Tue Aug 23 22:25:30 UTC 2022
Valid to:  Fri Aug 23 22:25:30 UTC 2030
+

Certificate chain #2

+ + + + + + + + + + + + + + + + + +
Issued to:  Amazon Root CA 1
Issued by:  Starfield Services Root Certificate Authority - G2
Valid from:  Mon May 25 12:00:00 UTC 2015
Valid to:  Thu Dec 31 01:00:00 UTC 2037
+

Certificate chain #3

+ + + + + + + + + + + + + + + + + +
Issued to:  Starfield Services Root Certificate Authority - G2
Issued by:  Starfield Class 2 Certification Authority
Valid from:  Wed Sep 02 00:00:00 UTC 2009
Valid to:  Wed Jun 28 17:39:16 UTC 2034
+

Certificate chain #4

+ + + + + + + + + + + + + + + + + +
Issued to:  Starfield Class 2 Certification Authority
Issued by:  Starfield Class 2 Certification Authority
Valid from:  Tue Jun 29 17:39:16 UTC 2004
Valid to:  Thu Jun 29 17:39:16 UTC 2034
+
+ +

+ Issue background: +

+
+

TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between + the browser and server, and to provide authentication of the server's identity. To serve this + purpose, the server must present an TLS certificate that is valid for the server's hostname, is + issued by a trusted authority and is valid for the current date. If any one of these + requirements is not met, TLS connections to the server will not provide the full protection for + which TLS is designed.

+

It should be noted that various attacks exist against TLS in general, and in the context of HTTPS + web connections in particular. It may be possible for a determined and suitably-positioned + attacker to compromise TLS connections without user detection even when a valid TLS certificate + is used.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+
+ +
+
+
+ +

Content security policy: allows untrusted script execution

+ /fe/m3/m-login + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ + +
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/action-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 107 + + {"name":"ForgotPasswordButtonClicked","category":"mConsolefe","data":{"deviceType":"Desktop"}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:26 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/event-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730843990,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:50 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/translations + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted script execution

+ /m/v3/translations/locales + +

Issue detail:

+
+

The content security policy fails to prevent untrusted JavaScript from being executed. As a + result, it may fail to mitigate cross-site scripting attacks.

+

The policy has the following issues:

+

The policy allows global wildcard URLs which allows arbitrary scripts to be executed.

+

The policy allows data: URLs which allows arbitrary scripts to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global + wildcards in script directives. Use a secure, random + nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Content security policy: allows untrusted style execution

+ /fe/m3/m-login + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/action-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 107 + + {"name":"ForgotPasswordButtonClicked","category":"mConsolefe","data":{"deviceType":"Desktop"}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:26 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/event-log + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730843990,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:50 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/translations + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows untrusted style execution

+ /m/v3/translations/locales + +

Issue detail:

+
+

The content security policy fails to prevent untrusted style execution. As a result, it may fail + to mitigate style based data exfiltration.

+

The policy allows global wildcard URLs which allows arbitrary styles to be executed.

+

The policy allows data: URLs which allows arbitrary styles to be executed.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

+ Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global + wildcards in style directives. + Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Content security policy: allows form hijacking

+ /fe/m3/m-login + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/action-log + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 107 + + {"name":"ForgotPasswordButtonClicked","category":"mConsolefe","data":{"deviceType":"Desktop"}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:26 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/event-log + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 301 + + {"name":"mLoginAttempted","category":"mConsoleEvents","timestamp":1730843986,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previousURL" +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""}
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:46 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/translations + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:39 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Content security policy: allows form hijacking

+ /m/v3/translations/locales + +

Issue detail:

+
+

The content security policy doesn't prevent form hijacking, where attackers with HTML injection + hijack forms using action attributes. This can lead to credential theft by autofilling passwords + from a manager and sending them to an attacker's server upon form submission.

+
+ +

+ Issue background: +

+
+

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting + attacks by disabling dangerous behaviours such as untrusted JavaScript execution. + Websites can specify their security policy in a response header or meta tag, enabling + fine-grained control over dangerous features like scripts and stylesheets. +

+
+ +

+ Issue remediation: +

+
+

We recommend using the form-action directive in the CSP response header to control form post + destinations. If no form actions are used, set form-action to 'none' to block + untrusted forms. For applications without external form URLs, use 'self' to allow only + same-origin URLs. If needed, allow list hosts for external URL form submissions, but + be aware this lets attackers submit to these external resources. +

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 21:59:24 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' + https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/action-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.705270236.1730844023; _ga_0CGDK6Q0X4=GS1.1.1730844022.1.0.1730844028.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 118 + + {"name":"mLoginAttempt","category":"mConsolefe","data":{"deviceType":"Desktop","mName":""}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:29 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/event-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.567957676.1730844025; _ga_0CGDK6Q0X4=GS1.1.1730844024.1.0.1730844029.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730844029,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:30 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.766182157.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.0.1730844022.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:23 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.496830287.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.1.1730844022.0.0.0 + Origin: https://instance.example.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:00:23 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/translations + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2145941182.1730844052; _ga_0CGDK6Q0X4=GS1.1.1730844051.1.1.1730844054.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://instance.example.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:04:36 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing

+ /m/v3/translations/locales + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this + request.

The response uses a wildcard in the Access-Control-Allow-Origin header and also + specifies that credentials are allowed. Note that browsers do not allow this combination, and the + Access-Control-Allow-Credentials header will be ignored.

Since the Vary: Origin header was + not present in the response, reverse proxies and intermediate servers may cache it. This may enable + an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

If another domain is allowed by the policy, then that domain can potentially attack users of the + application. If a user is logged in to the application, and visits a domain allowed by the + policy, then any malicious content running on that domain can potentially retrieve content from + the application, and sometimes carry out actions within the security context of the logged in + user.

+

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within + that domain could potentially be leveraged by an attacker to exploit the trust relationship and + attack the application that allows access. CORS policies on pages containing sensitive + information should be reviewed to determine whether it is appropriate for the application to + trust both the intentions and security posture of any domains granted access.

+
+ +

+ Issue remediation: +

+
+

Any inappropriate domains should be removed from the CORS policy.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://instance.example.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:09:09 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/action-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://aazpkgamubbk.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/action-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.705270236.1730844023; _ga_0CGDK6Q0X4=GS1.1.1730844022.1.0.1730844028.0.0.0 + Origin: https://aazpkgamubbk.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 118 + + {"name":"mLoginAttempt","category":"mConsolefe","data":{"deviceType":"Desktop","mName":""}} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:15 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/event-log + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://nyc.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/event-log HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.567957676.1730844025; _ga_0CGDK6Q0X4=GS1.1.1730844024.1.0.1730844029.0.0.0 + Origin: https://nyc.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 279 + + {"name":"ForgotPasswordButtonClicked","category":"mConsoleEvents","timestamp":1730844029,"data":{"currentURL":"https://instance.example.com/fe/m3/m-login","previou +
Snip
+
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:55 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/login-m-by-name + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://zwa.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/login-m-by-name HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Authorization: Bearer undefined + Cookie: _ga=GA1.1.766182157.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.0.1730844022.0.0.0 + Origin: https://zwa.com + Referer: https://instance.example.com/fe/m3/m-login + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 33 + + {"mName":"","password":""} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:00 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/actions/request-m-password-reset + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://wsparhyjqvka.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
POST /m/v3/actions/request-m-password-reset HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.496830287.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.1.1730844022.0.0.0 + Origin: https://wsparhyjqvka.com + Referer: https://instance.example.com/fe/m3/request-reset-password + Content-Type: application/json + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Content-Length: 94 + + {"mName":"BoSUhm","mEmail":"BoSUhmuz@burpcollaborator.net","mPhone":null} +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:08:21 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/translations + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://tjelewarvblp.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations?locale=en_US&category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Cookie: _ga=GA1.1.2145941182.1730844052; _ga_0CGDK6Q0X4=GS1.1.1730844051.1.1.1730844054.0.0.0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://tjelewarvblp.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:04:37 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +

Cross-origin resource sharing: arbitrary origin trusted

+ /m/v3/translations/locales + +

Issue detail:

+
+ The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request + that allows access from any domain.

The application allowed access from the requested origin + https://pduoenagjukk.com

The response uses a wildcard in the + Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that + browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be + ignored.

Since the Vary: Origin header was not present in the response, reverse proxies and + intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. +
+ +

+ Issue background: +

+
+

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on + other domains can perform two-way interaction with the domain that publishes the policy. The + policy is fine-grained and can apply access controls per-request based on the URL and other + features of the request.

+

+ Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way + interaction by third-party web sites. Unless the response consists only of unprotected public + content, this policy is likely to present a security risk.

+

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be + able to carry out privileged actions and retrieve sensitive information. Even if it does not, + attackers may be able to bypass any IP-based access controls by proxying through users' + browsers.

+
+ +

+ Issue remediation: +

+
+

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of + trusted domains.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /m/v3/translations/locales?category=m-fe HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: application/json, text/plain, */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Referer: https://instance.example.com/fe/m3/m-login + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + Origin: https://pduoenagjukk.com + +
+
+
+

Response:

+
HTTP/2 500 Internal Server Error + Date: Tue, 05 Nov 2024 22:09:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 0 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + Access-Control-Max-Age: 86400 + +
+
+
+
+ +
+
+
+ +

Robots.txt file

+ /robots.txt + +

Issue detail:

+
+ The web server contains a robots.txt file. +
+ +

+ Issue background: +

+
+

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, + about locations within the web site that robots are allowed, or not allowed, to crawl and index. +

+

The presence of the robots.txt does not in itself present any kind of security vulnerability. + However, it is often used to identify restricted or private areas of a site's contents. The + information in the file may therefore help an attacker to map out the site's contents, + especially if some of the locations identified are not linked from elsewhere in the site. If the + application relies on robots.txt to protect access to these areas, and does not enforce proper + access control over them, then this presents a serious vulnerability.

+
+ +

+ Issue remediation: +

+
+

The robots.txt file is not itself a security threat, and its correct use can represent good + practice for non-security reasons. You should not assume that all web robots will honor the + file's instructions. Rather, assume that attackers will pay close attention to any locations + identified in the file. Do not rely on robots.txt to provide any kind of protection over + unauthorized access.

+
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /robots.txt HTTP/1.1 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + +
+
+
+

Response:

+
HTTP/1.1 200 OK + Date: Tue, 05 Nov 2024 21:59:51 GMT + Content-Type: text/plain + Content-Length: 195 + Connection: close + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + Last-Modified: Tue, 15 Oct 2024 15:56:17 GMT + ETag: "c3-62485fe5f1553-gzip" + Accept-Ranges: bytes + Vary: Accept-Encoding + + User-agent: * + Disallow: /app + Disallow: /apidocs/example-app-install.pdf + Disallow: /dashboard/ + Disallow: /m2/ + Disallow: /m/ + Disallow: /js/ + Disallow: /modules/api/fetch-dictionary.php +
+
+
+
+ +
+
+
+ +

Cacheable HTTPS response

+ /fe/m3/m-login + +

+ Issue description: +

+
+

Unless directed otherwise, browsers may store a local cached copy of content received from web + servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If + sensitive information in application responses is stored in the local cache, then this may be + retrieved by other users who have access to the same computer at a future time.

+
+ +

+ Issue remediation: +

+
+

Applications should return caching directives instructing browsers not to store local copies of + any sensitive data. Often, this can be achieved by configuring the web server to prevent caching + for relevant paths within the web root. Alternatively, most web development platforms allow you + to control the server's caching directives from within individual scripts. Ideally, the web + server should return the following HTTP headers in all responses containing sensitive content: +

+
    +
  • Cache-control: no-store
    • +
  • Pragma: no-cache
    • +
+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+
+ +
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.pathname and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.pathname and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    + 
    ///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&
    +
    • + +
  • +

    The previous value reached the sink:

    + 
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
    • + +
  • +

    The stack trace at source was:

    + 
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
+at get pathname (<anonymous>:1:249642)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:13)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18
    +
    • + +
  • +

    The stack trace at the sink was:

    + 
    at Object.dXSzc (<anonymous>:1:107608)
+at Object.skeuk (<anonymous>:1:548616)
+at History.replaceState (<anonymous>:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +
    • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.search and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    + 
    ?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&
    +
    • + +
  • +

    The previous value reached the sink:

    + 
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
    • + +
  • +

    The stack trace at source was:

    + 
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
+at get search (<anonymous>:1:248279)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:23)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18
    +
    • + +
  • +

    The stack trace at the sink was:

    + 
    at Object.dXSzc (<anonymous>:1:107608)
+at Object.skeuk (<anonymous>:1:548616)
+at History.replaceState (<anonymous>:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +
    • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.hash and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.hash and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    + 
    #hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
    • + +
  • +

    The previous value reached the sink:

    + 
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
    • + +
  • +

    The stack trace at source was:

    + 
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
+at get hash (<anonymous>:1:249429)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:31)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18
    +
    • + +
  • +

    The stack trace at the sink was:

    + 
    at Object.dXSzc (<anonymous>:1:107608)
+at Object.skeuk (<anonymous>:1:548616)
+at History.replaceState (<anonymous>:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
    +
    • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.pathname and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.pathname and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    + 
    ///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&
    +
    • + +
  • +

    The previous value reached the sink:

    + 
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
    • + +
  • +

    The stack trace at source was:

    + 
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
+at get pathname (<anonymous>:1:249642)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:13)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18
    +
    • + +
  • +

    The stack trace at the sink was:

    + 
    at Object.dXSzc (<anonymous>:1:107608)
+at Object.skeuk (<anonymous>:1:548616)
+at History.replaceState (<anonymous>:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
+at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
+at https://instance.example.com/fe/js/cv-script.js:220724:27
    +
    • + +
  • +

    This was triggered by a loadend event.

    +
    • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.search and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.search and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    + 
    ?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&
    +
    • + +
  • +

    The previous value reached the sink:

    + 
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
    • + +
  • +

    The stack trace at source was:

    + 
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
+at get search (<anonymous>:1:248279)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:23)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18
    +
    • + +
  • +

    The stack trace at the sink was:

    + 
    at Object.dXSzc (<anonymous>:1:107608)
+at Object.skeuk (<anonymous>:1:548616)
+at History.replaceState (<anonymous>:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
+at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
+at https://instance.example.com/fe/js/cv-script.js:220724:27
    +
    • + +
  • +

    This was triggered by a loadend event.

    +
    • + +
+
+
+
+
+ +

DOM data manipulation (DOM-based)

+ /fe/m3/m-login + +

Issue detail:

+
+ The application may be vulnerable to DOM-based DOM data manipulation. Data is read from + location.hash and passed to history.replaceState. +
+ +

+ Issue background: +

+
+

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of + the DOM (for example, the URL) and processes this data in an unsafe way.

+

DOM data manipulation arises when a script writes controllable data to a field within the DOM + that is used within the visible UI or client-side application logic. An attacker may be able to + use the vulnerability to construct a URL that, if visited by another application user, will + modify the appearance or behavior of the client-side UI. An attacker may be able to leverage + this to perform virtual defacement of the application, or possibly to induce the user to perform + unintended actions.

+ +

Burp Suite automatically identifies this issue using dynamic and static code analysis. Static + analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not + provided any evidence resulting from dynamic analysis, you should review the relevant code and + execution paths to determine whether this vulnerability is indeed present, or whether + mitigations are in place that would prevent exploitation.

+
+ +

+ Issue remediation: +

+
+

The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to + dynamically write to DOM data fields any data that originated from any untrusted source. If the + desired functionality of the application means that this behavior is unavoidable, then defenses + must be implemented within the client-side code to prevent malicious data from being stored. In + general, this is best achieved by using a whitelist of permitted values.

+
+ +

References

+
+ +
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3/m-login HTTP/2 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/2 200 OK + Date: Tue, 05 Nov 2024 21:59:12 GMT + Content-Type: text/html; charset=UTF-8 + Content-Length: 1906 + Server: Apache/2.4.62 (Ubuntu) + X-Frame-Options: SAMEORIGIN + Content-Security-Policy: frame-ancestors 'self' https://staging.example.com + X-Powered-By: Express + Accept-Ranges: bytes + Etag: W/"772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip" + Vary: Accept-Encoding + + <!DOCTYPE html> + <html lang=""> + <head> + <meta charset="utf-8" /> + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> + <meta name="viewport" content="width=device-width,initial-scale=1.0
Snip
+
+
+
+

Dynamic analysis:

+
+

+ Data is read from location.hash and passed to history.replaceState. +

+
    +
  • +

    The following value was injected into the source:

    + 
    #hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
    • + +
  • +

    The previous value reached the sink:

    + 
    https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/><g49p4yw5cy/\>zgrotg0z2s&#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/><hj8js9yzmu/\>ea3izlhk1m&
    +
    • + +
  • +

    The stack trace at source was:

    + 
    at Object._0x165f99 [as proxiedGetterCallback] (<anonymous>:1:557377)
+at get hash (<anonymous>:1:249429)
+at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:31)
+at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
+at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
+at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue?vue&type=script&lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at fn (https://instance.example.com/fe/js/app.js:151:20)
+at 1 (https://instance.example.com/fe/js/app.js:172609:18)
+at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
+at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
+at https://instance.example.com/fe/js/app.js:994:18
    +
    • + +
  • +

    The stack trace at the sink was:

    + 
    at Object.dXSzc (<anonymous>:1:107608)
+at Object.skeuk (<anonymous>:1:548616)
+at History.replaceState (<anonymous>:1:548864)
+at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
+at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
+at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
+at https://instance.example.com/fe/js/cv-script.js:220724:27
    +
    • + +
  • +

    This was triggered by a loadend event.

    +
    • + +
+
+
+
+
+ +
+
+ +
+

More details for http://instance.example.com

+
+ +
+
+ +

Input returned in response (reflected)

+ /fe/m3/m-login + +

Issue detail:

+
+ The value of the URL path folder 1 is copied into the application's response. +
+ +

+ Issue background: +

+
+

Reflection of input arises when data is copied from a request and echoed into the application's + immediate response.

+

Input being returned in application responses is not a vulnerability in its own right. However, + it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open + redirection, content spoofing, and response header injection. Additionally, some server-side + vulnerabilities such as SQL injection are often easier to identify and exploit when input is + returned in responses. In applications where input retrieval is rare and the environment is + resistant to automated testing (for example, due to a web application firewall), it might be + worth subjecting instances of it to focused manual testing.

+
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fes56j3607g3/m3/m-login HTTP/1.1 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/1.1 301 Moved Permanently + Server: awselb/2.0 + Date: Tue, 05 Nov 2024 22:04:46 GMT + Content-Type: text/html + Content-Length: 134 + Connection: close + Location: https://instance.example.com:443/fes56j3607g3/m3/m-login + + <html> + <head><title>301 Moved Permanently</title></head> + <body> + <center><h1>301 Moved Permanently</h1></center> + </body> + </html> +
+
+
+
+ +

Input returned in response (reflected)

+ /fe/m3/m-login + +

Issue detail:

+
+ The value of the URL path folder 2 is copied into the application's response. +
+ +

+ Issue background: +

+
+

Reflection of input arises when data is copied from a request and echoed into the application's + immediate response.

+

Input being returned in application responses is not a vulnerability in its own right. However, + it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open + redirection, content spoofing, and response header injection. Additionally, some server-side + vulnerabilities such as SQL injection are often easier to identify and exploit when input is + returned in responses. In applications where input retrieval is rare and the environment is + resistant to automated testing (for example, due to a web application firewall), it might be + worth subjecting instances of it to focused manual testing.

+
+ +

Vulnerability classifications

+
+ +
+ +
+

Request:

+
GET /fe/m3mx6wpfgqge/m-login HTTP/1.1 + Host: instance.example.com + Accept-Encoding: gzip, deflate, br + Accept: + text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Chrome/130.0.6723.70 Safari/537.36 + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Sec-CH-UA: ".Not/A)Brand";v="99", "Google + Chrome";v="130", "Chromium";v="130" + Sec-CH-UA-Platform: Windows + Sec-CH-UA-Mobile: ?0 + +
+
+
+

Response:

+
HTTP/1.1 301 Moved Permanently + Server: awselb/2.0 + Date: Tue, 05 Nov 2024 22:05:07 GMT + Content-Type: text/html + Content-Length: 134 + Connection: close + Location: https://instance.example.com:443/fe/m3mx6wpfgqge/m-login + + <html> + <head><title>301 Moved Permanently</title></head> + <body> + <center><h1>301 Moved Permanently</h1></center> + </body> + </html> +
+
+
+
+ +
+ +
+ + + \ No newline at end of file diff --git a/unittests/tools/test_burp_enterprise_parser.py b/unittests/tools/test_burp_enterprise_parser.py index b6714fc209f..03213f78ffd 100644 --- a/unittests/tools/test_burp_enterprise_parser.py +++ b/unittests/tools/test_burp_enterprise_parser.py @@ -36,31 +36,31 @@ def test_burp_enterprise_with_multiple_vulns(self): self.assertEqual("WAF Detected: redacted", finding.title) self.assertIn("Fingerprint Details:\n \n WAF Type : redacted\n WAF tech. details : Cloud-based CDN, WAF & DDoS prevention", finding.description) - # def test_burp_enterprise_with_multiple_vulns_newer_format(self): - # with open(path.join(path.dirname(__file__), "../scans/burp_enterprise/many_vulns_updated_format.html"), encoding="utf-8") as test_file: - # parser = BurpEnterpriseParser() - # findings = parser.get_findings(test_file, Test()) - # for finding in findings: - # for endpoint in finding.unsaved_endpoints: - # endpoint.clean() - # self.assertEqual(12, len(findings)) + def test_burp_enterprise_with_multiple_vulns_newer_format(self): + with open(path.join(path.dirname(__file__), "../scans/burp_enterprise/many_vulns_updated_format.html"), encoding="utf-8") as test_file: + parser = BurpEnterpriseParser() + findings = parser.get_findings(test_file, Test()) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + self.assertEqual(12, len(findings)) - # with self.subTest(i=0): - # finding = findings[0] - # self.assertEqual("Low", finding.severity) - # self.assertTrue(finding.dynamic_finding) - # self.assertEqual(523, finding.cwe) - # self.assertEqual("Strict transport security not enforced", finding.title) - # self.assertIn("**Issue description**:\nThe application fails to prevent users from connecting to it over unencrypted connections.", finding.description) - # self.assertIn("**Issue remediation**:\nThe application should instruct web browsers to only access the application using HTTPS.", finding.impact) - # self.assertIn("- [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security)", finding.references) - # self.assertEqual(7, len(finding.unsaved_endpoints)) - # self.assertEqual("instance.example.com", finding.unsaved_endpoints[0].host) + with self.subTest(i=0): + finding = findings[0] + self.assertEqual("Low", finding.severity) + self.assertTrue(finding.dynamic_finding) + self.assertEqual(523, finding.cwe) + self.assertEqual("Strict transport security not enforced", finding.title) + self.assertIn("**Issue description**:\nThe application fails to prevent users from connecting to it over unencrypted connections.", finding.description) + self.assertIn("**Issue remediation**:\nThe application should instruct web browsers to only access the application using HTTPS.", finding.impact) + self.assertIn("- [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security)", finding.references) + self.assertEqual(7, len(finding.unsaved_endpoints)) + self.assertEqual("instance.example.com", finding.unsaved_endpoints[0].host) - # with self.subTest(i=5): - # finding = findings[5] - # self.assertEqual("Info", finding.severity) - # self.assertTrue(finding.dynamic_finding) - # self.assertEqual(116, finding.cwe) - # self.assertEqual("Content security policy: allows form hijacking", finding.title) - # self.assertIn("**Issue detail**:\nThe content security policy doesn't prevent form hijacking", finding.description) + with self.subTest(i=5): + finding = findings[5] + self.assertEqual("Info", finding.severity) + self.assertTrue(finding.dynamic_finding) + self.assertEqual(116, finding.cwe) + self.assertEqual("Content security policy: allows form hijacking", finding.title) + self.assertIn("**Issue detail**:\nThe content security policy doesn't prevent form hijacking", finding.description) From 20b88ff0bbe88be85a2a4410e8f28be9f8d611ea Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 7 Nov 2024 19:36:07 -0600 Subject: [PATCH 4/4] Correct tests --- unittests/tools/test_burp_enterprise_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_burp_enterprise_parser.py b/unittests/tools/test_burp_enterprise_parser.py index 03213f78ffd..ec45b95c2f6 100644 --- a/unittests/tools/test_burp_enterprise_parser.py +++ b/unittests/tools/test_burp_enterprise_parser.py @@ -34,7 +34,7 @@ def test_burp_enterprise_with_multiple_vulns(self): self.assertTrue(finding.dynamic_finding) self.assertIsNone(finding.cwe) self.assertEqual("WAF Detected: redacted", finding.title) - self.assertIn("Fingerprint Details:\n \n WAF Type : redacted\n WAF tech. details : Cloud-based CDN, WAF & DDoS prevention", finding.description) + self.assertIn("**Issue detail**:\nFingerprint Details:\n\nWAF Type : redacted\nWAF tech. details : Cloud-based CDN, WAF & DDoS prevention", finding.description) def test_burp_enterprise_with_multiple_vulns_newer_format(self): with open(path.join(path.dirname(__file__), "../scans/burp_enterprise/many_vulns_updated_format.html"), encoding="utf-8") as test_file: