kendo.aspnetmvc.min.js file showing Prototype Pollution and Client DOM XSS error on security scan.

0 Answers 17 Views
Application General Discussions
AJ
Top achievements
Rank 1
AJ asked on 11 Mar 2022, 04:20 PM

I have the following script tags in my .NET framework file 

<script src="~/Scripts/kendo2020/2020.3.1021/jquery.min.js"></script>
<script src="~/Scripts/kendo2020/2020.3.1021/kendo.all.min.js"></script>
<script src="~/Scripts/kendo2020/2020.3.1021/kendo.aspnetmvc.min.js"></script>
<script src="~/Scripts/kendo2020/2020.3.1021/jszip.min.js"></script>
<script src="~/Scripts/jquery.blockUI.js"></script>
<script src="~/Scripts/jquery.cookie-1.4.1.min.js"></script>

The JQuery version I am using is 3.5.1.

I have also added the following snippet under the WebConfig file.

<appSettings>
    <add key="Telerik.ScriptManager.EnableEmbeddedjQuery" value="false" />
</appSettings>

 

When I run a security scan, it flags the aspnetmvc.min.js file with Client DOM XSS and Prototype Pollution vulnerabilities.

Is there a way to fix it?

Ianko
Telerik team
commented on 16 Mar 2022, 09:09 AM

Hi AJ, 

Can run a scan over a non-minified version of the file so that you can share which is the piece of code the report is addressing? Also, share the security report tool you are using? 

Currently, there are reports from the Checmarxx security tool related to this file that comes from the serve-side binding of the Grid and it is a false-positive report. 

AJ
Top achievements
Rank 1
commented on 16 Mar 2022, 09:25 AM

I am using the Checkmarx Security tool but I don't have the non-minified version of the aspnetmvc file.But if it's a false positive then I think we could work with that.
Ianko
Telerik team
commented on 17 Mar 2022, 07:46 AM

If it is Checkmarxx, the report about this file is false-positive and it is related to this feature here: https://demos.telerik.com/aspnet-mvc/grid/serverbinding. The feature is about dynamically changing the location URL so that it can accomplish server-side operation. 

Here you are the official response about this report: 

"This part of the code is used only in one scenario, a grid with server binding, and in this case, we do need to alter the parameters in order to reflect the changes to the UI. The URL is generated depending on the grid's state, thus the data is again safe. Nevertheless, if you are not using server binding, this piece of code will never run."

Note, that Checkmarxx scans the code only and reports potential vulnerabilities based on code. It does not report vulnerabilities that are effective.

No answers yet. Maybe you can help?

Tags
Application General Discussions
Asked by
AJ
Top achievements
Rank 1
Share this question
or