You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by "Ajay Gupta (JIRA)" <ji...@apache.org> on 2016/09/25 14:31:20 UTC

[jira] [Created] (CB-11900) Cordova security vulnerability: Insufficint input validations

Ajay Gupta created CB-11900:
-------------------------------

             Summary: Cordova security vulnerability: Insufficint input validations
                 Key: CB-11900
                 URL: https://issues.apache.org/jira/browse/CB-11900
             Project: Apache Cordova
          Issue Type: Bug
          Components: CordovaJS
            Reporter: Ajay Gupta


In a recent veracode scan of the mobile application, we found a medium vulnerability:

Insufficient Input validation 

Description:
Weaknesses in this category are related to an absent or incorrect protection mechanism that fails to properly validate input that can affect the control flow or data flow to a program.

Recommendations
Validate input from untrusted sources before it is used. 

Associated flaws by CWE ID: 
URL redirection to untrusted sitte ('open redirect') (CWE ID 601)

Description
A web application accepts a user-controlled input that specifies a link to an external site and uses that link to generate a redirect.  This enables phishing attack.

Recommendation is to always validate user-supplied input to ensure it confirms to the expected format, using centralized data validation routines when possible.   Check the supplied URL against a whitelist of approved URLs or domains before redirecting.

InAppBrowser.java: 447 and 449





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org