ZAP: high security risk

2 posts, 0 answers
  1. Daniele Bruno
    Daniele Bruno avatar
    22 posts
    Member since:
    Apr 2009

    Posted 03 Oct Link to this post

    Hi,

     

    we test our kendo based application with ZAP security scanner Tools. It reports one high security risk caused on kendo.all.min.js file.

    Description
    Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.
    URL
    https://service.cboxcloud.com/api/kendo/kendo.all.min.js;sleep%20%7B0%7Ds;
    Parameter
    kendo.all.min.js
    Attack
    kendo.all.min.js;sleep {0}s;
    Solution
    If at all possible, use library calls rather than external processes to recreate the desired functionality.
    Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software....

     

    Does anyone know how to reduce or  or eliminate this risk?

     

    Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.

    URL
    https://service.cboxcloud.com/api/kendo/kendo.all.min.js;sleep%20%7B0%7Ds;
    Parameter
    kendo.all.min.js
    Attack
    kendo.all.min.js;sleep {0}s;

    Solution

    If at all possible, use library calls rather than external processes to recreate the desired functionality.

     

    Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software.

    Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.

    URL
    https://service.cboxcloud.com/api/kendo/kendo.all.min.js;sleep%20%7B0%7Ds;
    Parameter
    kendo.all.min.js
    Attack
    kendo.all.min.js;sleep {0}s;

    Solution

    If at all possible, use library calls rather than external processes to recreate the desired functionality.

     

    Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software.

    Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.

    URL
    https://service.cboxcloud.com/api/kendo/kendo.all.min.js;sleep%20%7B0%7Ds;
    Parameter
    kendo.all.min.js
    Attack
    kendo.all.min.js;sleep {0}s;

    Solution

    If at all possible, use library calls rather than external processes to recreate the desired functionality.

     

    Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software.

  2. Dimo
    Admin
    Dimo avatar
    8330 posts

    Posted 05 Oct Link to this post

    Hi Daniele,

    Thank you for the feedback.

    In order to investigate your report properly, we will need more information. Please do the following:

    - download the Kendo UI source code from Your Account
    http://screencast.com/t/y38boBXsF

    - test with the non-minified kendo.all.js script file

    - specify on which line in the JS file the issue is reported to exist and paste the line content here

    - describe a valid use case that can be exploited

    Based on our experience, almost all security risk reports that we receive are false positives, for example, we cannot think of any "operating system commands" that we are building in our JavaScript code. Nevertheless, we will readily review your updated report. Thank you in advance.

    Regards,
    Dimo
    Telerik by Progress
    Get started with Kendo UI in days. Online training courses help you quickly implement components into your apps.
  3. Kendo UI is VS 2017 Ready
Back to Top