You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by Keta Patel <ke...@gmail.com> on 2016/04/05 22:31:56 UTC

cross-site vulnerability of APIs

Hello all,
I recently encountered a couple of APIs which were vulnerable to cross-site
script attacks through parameters like "description" or "name". These
parameters are passed in directly to server-side code and stored in the
database. The UI validation at present only checks for the length of the
input text. There needs to be a more robust server-side validation to
handle XSS attacks.

Could somebody please help me by pointing out if there is an existing way
to handle
this vulnerability or whether it must be handled from scratch.

Thanks in advance!
Keta

Re: cross-site vulnerability of APIs

Posted by Hitesh Shah <hi...@apache.org>.

Vulnerabilities should not be exposed on public mailing lists without giving a project the chance to patch vulnerable released versions. Please report such vulnerabilities to security@apache.org or private@ambari.apache.org. 

http://www.apache.org/security/#reporting-a-vulnerability

thanks
— Hitesh

On Apr 5, 2016, at 1:31 PM, Keta Patel <ke...@gmail.com> wrote:

> Hello all,
> I recently encountered a couple of APIs which were vulnerable to cross-site
> script attacks through parameters like "description" or "name". These
> parameters are passed in directly to server-side code and stored in the
> database. The UI validation at present only checks for the length of the
> input text. There needs to be a more robust server-side validation to
> handle XSS attacks.
> 
> Could somebody please help me by pointing out if there is an existing way
> to handle
> this vulnerability or whether it must be handled from scratch.
> 
> Thanks in advance!
> Keta