Hi,
I am using Kendo UI controls for my MVC application. I am using "kendo.aspnetmvc.min.js" on my ASP.NET view.When my application is tested for Security issues by Burp(https://portswigger.net/burp/), the issue - "Open redirection (DOM-based)" is reported into the kendo.aspnetmvc.min.js". The issue is reported because this js manipulates the URL as shown below. Please help me how we can resolve this security issue.
;i=location.search.replace(a,"").replace("?",""),i.length&&!/&$/.test(i)&&(i+="&"),t=this.setup(t,"read"),n=t.url,n.indexOf("?")>=0?(i=i.replace(/(.*?=.*?)&/g,function(e){return n.indexOf(e.substr(0,e.indexOf("=")))>=0?"":e}),n+="&"+i):n+="?"+i,n+=e.map(t.data,function(e,t){return t+"="+e}).join("&"),location.href=n
Thanks,
Alpesh.
(alpesh.chavda@allscripts.com)
12 Answers, 1 is accepted
The relevant part of our source code is used when a Kendo UI Grid widget is server-bound, and data operations (paging, sorting, etc) reload the whole web page. The code takes the query string portion of the current URL, manipulates some of the parameter values (e.g. the page number) and sets it as a new location.href. So, in standard scenarios, the same page will be loaded, but with different query string parameters (which should be subject to server-side validation as a best practice anyway). In theory, it is possible to configure a different URL rather than the current page in the Grid DataSource settings, however, this is under developer control. If the configured URL is changed by a third party, this means that the application is already compromised.
In conclusion, we do not see any justifiable reason for concern and you can mark this as a false positive. Let me know if you can think of an exception to this statement.
Regards,
Dimo
Telerik by Progress
Hi Dimo,
Is "kendo.aspnetmvc.min.js" used by Kendo Grid contol only or other Kendo controls are also using this javascript? Is Kendo Grid control using "kendo.aspnetmvc.min.js" only for Paging and sorting?
I checked the behavior of the Kendo Grid control in my application. As per my observation, when I used paging and sorting functionality, the AJAX "Post" request is being sent with the page number, page size and sort field parameters(it is not sending the "GET" request with page no and other parameters). On the server-side into the Controller, the object-"DataSourceRequest request" contains these values and they are used into the code to return appropriate data to the view. The URL is not at all getting changed here because "POST" request is being sent to the URL. Please confirm that my observation is correct.
If above understanding is correct, I just need to validate the values - page number, page size and sort field which are sent into the "POST" request(whether they contain valid values). Please confirm that my understanding is correct. Do you think, I need to perform any other validation?
Thanks,
Alpesh.
kendo.aspnetmvc.min.js is used by practically all databound widgets which bind to data from an action method that uses ToDataSourceResult().
kendo.aspnetmvc.min.js defines internal Kendo UI DataSource types, namely "aspnetmvc-ajax" and "webapi". If the file is missing when needed, you will get an error like this:
http://docs.telerik.com/kendo-ui/troubleshoot/troubleshooting-common-issues#unknown-datasource-transport-type-json-warning-is-displayed
All data operations are involved - sorting, paging, filtering, grouping, aggregates. However, if server-side data operations are disabled, the DataSource will not send parameters to the server and will perform the operations on the client.
http://docs.telerik.com/aspnet-mvc/helpers/grid/binding/ajax-binding#enable-client-data-processing
Regards,
Dimo
Telerik by Progress
Burp is reporting the Open redirection (DOM-based) in - "kendo.aspnetmvc.min.js" into my application. I have provided the sample code of Kendo Grid below from the page where this JavaScript is used.
Please let me know how I can alleviate this Burp issue.
Are you doing any validation on the URL on client-side in your JavaScript? If I need to validate something on server-side, please let me know what I need to validate on server.
We are using Kendo controls in our application. Our client has scanned our application using Burp and they are asking for resolution or remediation of this security issue asap. We have tight deadlines and we need to conclude on this asap. If this is not the official way to discuss this issue, please let me know. I am from Allscripts and we have license of Kendo. If I can open support case and get quicker response by that then please let me know. If you require web-ex call and/or screen-sharing session, I can schedule one for you. I think, we are communicating on this sine few days, but we are leading nowhere. I need to wrap this asap. Please help me on this.
@(Html.Kendo().Grid<BusinessObject>()
.Name("Grid")
.Columns(columns =>
{
columns.Bound(o => o.Source).Title("Title").Visible(false);
columns.Bound(o => o.Name).ClientTemplate(
"<div class='table-responsive' id='table_patient'><table class='table'><tbody><tr><td><div class='MainItemClass'>#= Name #</div></td></tr><tr><td>#=kendo.toString(CreatedDate)# </td></tr></tbody> </table> </div> ");
})
.Pageable(pageable => pageable
.Refresh(true)
.PageSizes(true)
.ButtonCount(5))
.Sortable()
.ColumnMenu()
.Filterable()
.ClientDetailTemplateId("childGridTemplate")
.Editable(editable => editable.Mode(GridEditMode.PopUp))
.DataSource(dataSource => dataSource
.Ajax()
.PageSize((int)ViewBag.PageSizeNo)
.Events(events => events.Error("error_handler"))
.Read(read => read.Action("ActionName", "ControllerName").Data("ReadRequestFromDate"))
.Model(model => model.Id(p => p.Name))
)
.Events(events => events.DataBound("dataBound"))
.Resizable(resize => resize.Columns(true))
)
Thanks,
Alpesh.
Thanks for the follow-up and additional details.
The provided Grid declaration reveals that the widget is Ajax-bound, which means that the script that triggers the security tool warning is actually never executed.
We have received several reports about open DOM-based redirection recently. Our official position is that this should be treated as a false positive and we have documented the case here:
http://docs.telerik.com/aspnet-mvc/troubleshoot/troubleshooting#dom-based-open-redirection-issue-in-kendoaspnetmvcminjs-is-reported
My recommendation is to configure the security tool to ignore this in future tests.
We review all reports generated by automated security tools, but in this particular case, we have not found a reason for concern, and moreover, nobody has managed to produce a working exploit based on the assumed weakness in question. This is an important detail, which security analysts always provide with their reports. It ensures they're not false positives and enables us to quickly debug and address the issue.
With regard to validation, it is always a best practice to validate all submitted parameters from the client, because a malicious user can always fabricate a request that might be harmful.
Regards,
Dimo
Telerik by Progress
Hi,
In our recent vulnerability scan, both were tagged for A3-Cross-Site Scripting (XSS):
kendo.dataviz.map.min.js - location
kendo.aspnetmvc.min.js - href, replace
Can you verify if this is true or is just a false positive. Thank you!
Another findings:
kendo.dataviz.gauge.min.js - A7- Cross-Site Scripting - "text, append"
kendo.dataviz.map.min.js - AI injection - "jsonp"
Hi,
We have been receiving and reviewing similar vulnerability scan reports and so far all of them appeared to be false positive. If you need to check your ones deeper please run the scan over the non-minified versions of the javascript kendo files that can be found in your Telerik account and submit a separate support ticket with them so we could review them separately.
Regards,
Plamen
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.
Hi Admin,
Please find details on the vulnerability finding. Hopefully, I can get explanation about this. Thank you.
1.) kendo.dataviz.map.min.js
Message:
The
application's n.location embeds untrusted data in the
generated output with location, at line 1263 of \Scripts\kendo\kendo.dataviz.map.min.js. This untrusted data is embedded
straight into the output without proper sanitization or encoding, enabling an
attacker to inject malicious code into the output.
renderTooltip: function() {
var e, t, n = this,
i = n.options.title,
r = n.options.tooltip
|| {};
r && c &&
(e = r.template, e && (t = a.template(e), r.content = function(e) {
return e.location = n.location(), e.marker = n, t(e)
}), (i || r.content ||
r.contentUrl) && (this.tooltip = new c(this.element, r),
this.tooltip.marker = this))
2.) kendo.dataviz.map.min.js
Message:
An explicit filename is not defined for the
Content-Disposition header in line 1077 at
file Source\Scripts\kendo\kendo.dataviz.map.min.js.
Filename attribute is required in order to prevent
the browser from assuming the resource is an executable and download a
possibly malicious file.
_fetchMetadata: function() {
var t = this.options;
if (!t.key) throw
Error("Bing tile layer: API key is required");
e.ajax({
url: t.baseUrl +
t.imagerySet,
data: {
output:
"json",
include:
"ImageryProviders",
key: t.key,
uriScheme:
this._scheme(window.location.protocol)
},
type: "get",
dataType: "jsonp",
3.) kendo.dataviz.guage.min.js
Message:
The
application's s.append embeds untrusted data in the
generated output with append, at line 40 of \Scripts\kendo\kendo.dataviz.gauge.min.js. This untrusted data is embedded
straight into the output without proper sanitization or encoding, enabling an
attacker to inject malicious code into the output.
! function(e,
define) {
define(["./kendo.dataviz.core.min",
"./kendo.drawing.min", "./kendo.dataviz.themes.min"], e)
}(function() {
return function(e, t) {
function n(e, t) {
var n = e.box,
i = e.children[0].box,
o = t.border || {}, a =
t.background || "",
s = new A,
l = M.fromRect(new I([n.x1,
n.y1], [n.width(), n.height()]), {
stroke: {}
}),
c = new E(e.text, new D(i.x1,
i.y1), {
font: t.font,
fill: {
color: t.color
}
}),
d = r(c.bbox().clone(),
t.padding),
u = M.fromRect(d, {
stroke: {
color: o.width ?
o.color : "",
width: o.width,
dashType: o.dashType,
lineJoin:
"round",
lineCap:
"round"
},
fill: {
color: a
}
});
return s.append(l), s.append(u),
s.append(c), s
}
Some more here ...
kendo.dataviz.map.min.js
Message:
The
potentially tainted value provided by location in I\Scripts\kendo\kendo.dataviz.map.min.js at line 1239 is used as a destination URL by location in I\Scripts\kendo\kendo.dataviz.map.min.js at line 1263, potentially allowing attackers to perform an open
redirection.
location: function(e) {
return e ?
(this.options.location = f.create(e).toArray(), this.layer &&
this.layer.update(this), this) : f.create(this.options.location)
},
kendo.router.min.js
Message:
The
potentially tainted value provided by location in \Scripts\kendo\kendo.router.min.js at line 12 is used as a destination URL by replace in Scripts\kendo\kendo.router.min.js at line 60, potentially allowing attackers to perform an open
redirection.
},
replaceLocation: function(e) {
f.replace(e)
}
kendo.aspnetmvc.min.js
The potentially tainted value provided by replace in \Scripts\kendo\kendo.aspnetmvc.min.js at line 199 is used as a destination URL by href in \Scripts\kendo\kendo.aspnetmvc.min.js at line 199, potentially allowing attackers to perform an open redirection.
read: function(t) {
var n, i, r =
this.options.prefix,
o = [r +
"sort", r + "page", r + "pageSize", r +
"group", r + "aggregate", r + "filter"],
a =
RegExp("(" + o.join("|") + ")=[^&]*&?",
"g");
i =
location.search.replace(a, "").replace("?", ""),
i.length && !/&$/.test(i) && (i += "&"), t =
this.setup(t, "read"), n = t.url, n.indexOf("?") >= 0 ?
(i = i.replace(/(.*?=.*?)&/g, function(e) {
return
n.indexOf(e.substr(0, e.indexOf("="))) >= 0 ? "" : e
}), n +=
"&" + i) : n += "?" + i, n += e.map(t.data, function(e,
t) {
return t +
"=" + e
}).join("&"), location.href = n
Hi,
Thank you for sharing the code - based on it we can tell that we have been reported similar issues yet all of them where false positive. If you want us to deeper inspect each issue please submit a support ticket with the exact files that you have scanned so we are able to once again review the warnings against all of the code and be more descripting in our answer.
Regards,
Plamen
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.
Hi,
Can you explain the reason for the false positive? I need to inform users, thanks.