question

DavidGalvan-1105 avatar image
0 Votes"
DavidGalvan-1105 asked Aaron346-8268 commented

Is Webforms javascript scripts secure?



I did a security scan on an app that uses webforms. I found 10 security-related issues in several javascript files. I have not modified these scripts in any way. Can these issues be considered false positives? Most of the issues raised by the security report are "function embeds untrusted data in the generated output" and "an unsafe object assignment occurred". Here is a list of the javascript files from CDN:

https://ajax.aspnetcdn.com/ajax/4.5.1/1/SmartNav.js

https://ajax.aspnetcdn.com/ajax/4.5.1/1/WebParts.js

https://ajax.aspnetcdn.com/ajax/4.5.1/1/MicrosoftAjaxHistory.js

https://ajax.aspnetcdn.com/ajax/4.5.1/1/MicrosoftAjax.js

And I do see these files being referenced in Bundlle.Config.cs. Here are the ten issues from the security report. These are marked as "High" risk:

[1] The application's function embeds untrusted data in the generated output with href, at line 34 of \Scripts\WebForms\SmartNav.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[2] The application's WebPartManager_InitiateWebPartDragDrop embeds untrusted data in the generated output with appendChild, at line 453 of \Scripts\WebForms\WebParts.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[3] The application's function embeds untrusted data in the generated output with write, at line 230 of \Scripts\WebForms\MSAjax\MicrosoftAjaxHistory.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[4] The application's function embeds untrusted data in the generated output with write, at line 3411 of \Scripts\WebForms\MSAjax\MicrosoftAjax.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[5] The application's function embeds untrusted data in the generated output with write, at line 230 of \Scripts\WebForms\MSAjax\MicrosoftAjaxHistory.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[6] The application's function embeds untrusted data in the generated output with write, at line 3411 of \Scripts\WebForms\MSAjax\MicrosoftAjax.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

[7] An unsafe object assignment occurred in \Scripts\WebForms\MSAjax\MicrosoftAjaxHistory.js at line 100. Assigning external properties without validation may allow object properties pollution and affect application's normal behavior.

[8] An unsafe object assignment occurred in \Scripts\WebForms\MSAjax\MicrosoftAjax.js at line 3281. Assigning external properties without validation may allow object properties pollution and affect application's normal behavior.

[9] An unsafe object assignment occurred in \Scripts\WebForms\MSAjax\MicrosoftAjaxHistory.js at line 100. Assigning external properties without validation may allow object properties pollution and affect application's normal behavior.

[10] An unsafe object assignment occurred in \Scripts\WebForms\MSAjax\MicrosoftAjax.js at line 3281. Assigning external properties without validation may allow object properties pollution and affect application's normal behavior.

I am hoping these javascript files are safe to use. Let me know what your thoughts are on these javascript security issues.

Thanks.

dotnet-aspnet-generaldotnet-aspnet-webforms
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for sharing. You have did a great research. I was using javascript for secret apk site. But it was showing some risk so thats why I removed it from my project. Instead of java now we have developed python script which custom but performing better than the java.


0 Votes 0 ·

1 Answer

LanHuang-MSFT avatar image
0 Votes"
LanHuang-MSFT answered DavidGalvan-1105 commented

Hi @DavidGalvan-1105,
JavaScript security is related to investigating, preventing, protecting, and resolving security issues in applications where JavaScript is used.
Common JavaScript security vulnerabilities:

  • Cross-site scripting (XSS)

  • Cross-site request forgery (CSRF)

  • Components with known vulnerabilities

  • SQL Injection

  • Sensitive cookie exposure

  • RELIANCE ON CLIENT-SIDE VALIDATION ALONE

JavaScript security best practices

  • Avoid ev al(): Don’t utilize this command in code, since it simply executes passed argument if it is a JavaScript expression. This means if the hacker succeeds in manipulating input value, he or she will be able to run any script she wants. Instead, opt for alternative options that are more secure.

  • Encrypt: Use HTTPS/SSL to encrypt data exchanged between the client and the server.

  • Set secure cookies: To ensure SSL/HTTPS is in use, set your cookies as “secure,” which limits the use of your application’s cookies to only secure web pages.

  • Set A P I access keys: Assign individual to k ens for each end user. If these tokens don’t match up, access can be denied or revoked.

  • Use safe methods of DOM manipulation: Methods such as inn erH TML are powerful and potentially dangerous, as they don’t limit or escape/encode the values that are passed to them. Using a method like innerText instead provides inherent escaping of potentially hazardous content. This is particularly useful in preventing DOM-based XSS attacks.

  • Avoid using inline JavaScript and establish a Content Security Policy.

  • Minify, bundle, and obfuscate your JavaScript code.

Best regards,
Lan Huang


If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The question I really have is this: are the security issues raised by a security scan of the scripts above considered "false positives"?

0 Votes 0 ·