Is Webforms javascript scripts secure?

MrD 1 Reputation point
2022-05-12T16:01:17.957+00:00

I did a security scan on an app that uses webforms. I found 10 security-related issues in several javascript files. I have not modified these scripts in any way. Can these issues be considered false positives? Most of the issues raised by the security report are "function embeds untrusted data in the generated output" and "an unsafe object assignment occurred". Here is a list of the javascript files from CDN:

https://ajax.aspnetcdn.com/ajax/4.5.1/1/SmartNav.js

https://ajax.aspnetcdn.com/ajax/4.5.1/1/WebParts.js

https://ajax.aspnetcdn.com/ajax/4.5.1/1/MicrosoftAjaxHistory.js

https://ajax.aspnetcdn.com/ajax/4.5.1/1/MicrosoftAjax.js

And I do see these files being referenced in Bundlle.Config.cs. Here are the ten issues from the security report. These are marked as "High" risk:

[1] The application's function embeds untrusted data in the generated output with href, at line 34 of \Scripts\WebForms\SmartNav.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[2] The application's WebPartManager_InitiateWebPartDragDrop embeds untrusted data in the generated output with appendChild, at line 453 of \Scripts\WebForms\WebParts.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[3] The application's function embeds untrusted data in the generated output with write, at line 230 of \Scripts\WebForms\MSAjax\MicrosoftAjaxHistory.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[4] The application's function embeds untrusted data in the generated output with write, at line 3411 of \Scripts\WebForms\MSAjax\MicrosoftAjax.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[5] The application's function embeds untrusted data in the generated output with write, at line 230 of \Scripts\WebForms\MSAjax\MicrosoftAjaxHistory.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[6] The application's function embeds untrusted data in the generated output with write, at line 3411 of \Scripts\WebForms\MSAjax\MicrosoftAjax.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[7] An unsafe object assignment occurred in \Scripts\WebForms\MSAjax\MicrosoftAjaxHistory.js at line 100. Assigning external properties without validation may allow object properties pollution and affect application's normal behavior.

[8] An unsafe object assignment occurred in \Scripts\WebForms\MSAjax\MicrosoftAjax.js at line 3281. Assigning external properties without validation may allow object properties pollution and affect application's normal behavior.

[9] An unsafe object assignment occurred in \Scripts\WebForms\MSAjax\MicrosoftAjaxHistory.js at line 100. Assigning external properties without validation may allow object properties pollution and affect application's normal behavior.

[10] An unsafe object assignment occurred in \Scripts\WebForms\MSAjax\MicrosoftAjax.js at line 3281. Assigning external properties without validation may allow object properties pollution and affect application's normal behavior.

I am hoping these javascript files are safe to use. Let me know what your thoughts are on these javascript security issues.

Thanks.

ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,219 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Lan Huang-MSFT 24,461 Reputation points Microsoft Vendor
    2022-05-13T03:09:16.687+00:00

    Hi @MrD ,
    JavaScript security is related to investigating, preventing, protecting, and resolving security issues in applications where JavaScript is used.
    Common JavaScript security vulnerabilities:

    • Cross-site scripting (XSS)
    • Cross-site request forgery (CSRF)
    • Components with known vulnerabilities
    • SQL Injection
    • Sensitive cookie exposure
    • RELIANCE ON CLIENT-SIDE VALIDATION ALONE

    JavaScript security best practices

    • Avoid ev al(): Don’t utilize this command in code, since it simply executes passed argument if it is a JavaScript expression. This means if the hacker succeeds in manipulating input value, he or she will be able to run any script she wants. Instead, opt for alternative options that are more secure.
    • Encrypt: Use HTTPS/SSL to encrypt data exchanged between the client and the server.
    • Set secure cookies: To ensure SSL/HTTPS is in use, set your cookies as “secure,” which limits the use of your application’s cookies to only secure web pages.
    • Set A P I access keys: Assign individual to k ens for each end user. If these tokens don’t match up, access can be denied or revoked.
    • Use safe methods of DOM manipulation: Methods such as inn erH TML are powerful and potentially dangerous, as they don’t limit or escape/encode the values that are passed to them. Using a method like innerText instead provides inherent escaping of potentially hazardous content. This is particularly useful in preventing DOM-based XSS attacks.
    • Avoid using inline JavaScript and establish a Content Security Policy.
    • Minify, bundle, and obfuscate your JavaScript code.

    Best regards,
    Lan Huang


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Emelia Clark 0 Reputation points
    2023-03-06T11:05:30.8933333+00:00

    The security of JavaScript scripts used in Webforms depends on how the scripts are implemented and the measures taken to prevent security vulnerabilities.

    JavaScript can potentially introduce security vulnerabilities such as cross-site scripting (XSS) attacks or injection attacks. However, web developers can take steps to mitigate these risks by properly validating user input, sanitizing data, and using security frameworks and libraries.

    It is important to ensure that any third-party scripts used in Webforms are obtained from trusted sources and regularly updated to address any security issues. Additionally, using HTTPS encryption can help protect against man-in-the-middle attacks and other types of attacks.

    I had previously utilized JavaScript for a game website, but due to potential security concerns, I decided to remove it from the project. In place of JavaScript, we have now created a custom Python script that is performing even better than our previous Java implementation.

    In summary, JavaScript scripts used in Webforms can be made secure through proper implementation and adherence to security best practices.

    0 comments No comments