This is a migrated thread and some comments may be shown as answers.

Security issue - "Open redirection (DOM-based)" in "kendo.aspnetmvc.min.js"

12 Answers 1316 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Alpesh
Top achievements
Rank 1
Alpesh asked on 02 Dec 2016, 06:06 AM

Hi,

    I am using Kendo UI  controls for my MVC application. I am using "kendo.aspnetmvc.min.js" on my ASP.NET view.When my application is tested for Security issues by Burp(https://portswigger.net/burp/), the issue - "Open redirection (DOM-based)"  is reported into the kendo.aspnetmvc.min.js". The issue is reported because this js manipulates the URL as shown below. Please help me how we can resolve this security issue.

 

;i=location.search.replace(a,"").replace("?",""),i.length&&!/&$/.test(i)&&(i+="&"),t=this.setup(t,"read"),n=t.url,n.indexOf("?")>=0?(i=i.replace(/(.*?=.*?)&/g,function(e){return n.indexOf(e.substr(0,e.indexOf("=")))>=0?"":e}),n+="&"+i):n+="?"+i,n+=e.map(t.data,function(e,t){return t+"="+e}).join("&"),location.href=n

 

Thanks,

Alpesh.

(alpesh.chavda@allscripts.com)

12 Answers, 1 is accepted

Sort by
0
Dimo
Telerik team
answered on 05 Dec 2016, 05:08 PM
Hello Alpesh,

The relevant part of our source code is used when a Kendo UI Grid widget is server-bound, and data operations (paging, sorting, etc) reload the whole web page. The code takes the query string portion of the current URL, manipulates some of the parameter values (e.g. the page number) and sets it as a new location.href. So, in standard scenarios, the same page will be loaded, but with different query string parameters (which should be subject to server-side validation as a best practice anyway). In theory, it is possible to configure a different URL rather than the current page in the Grid DataSource settings, however, this is under developer control. If the configured URL is changed by a third party, this means that the application is already compromised.

In conclusion, we do not see any justifiable reason for concern and you can mark this as a false positive. Let me know if you can think of an exception to this statement.

Regards,
Dimo
Telerik by Progress
Telerik UI for ASP.NET MVC is ready for Visual Studio 2017 RC! Learn more.
0
Alpesh
Top achievements
Rank 1
answered on 16 Dec 2016, 09:19 AM

Hi Dimo,
    Is "kendo.aspnetmvc.min.js" used by Kendo Grid contol only or other Kendo controls are also using this javascript? Is Kendo Grid control using "kendo.aspnetmvc.min.js" only for Paging and sorting?

    I checked the behavior of the Kendo Grid control in my application. As per my observation, when I used paging and sorting functionality, the AJAX "Post" request is being sent with the page number, page size and sort field parameters(it is not sending the "GET" request with page no and other parameters). On the server-side into the Controller, the object-"DataSourceRequest request" contains these values and they are used into the code to return appropriate data to the view. The URL is not at all getting changed here because "POST" request is being sent to the URL. Please confirm that my observation is correct.

    If above understanding is correct, I just need to validate the values - page number, page size and sort field which are sent into the "POST" request(whether they contain valid values). Please confirm that my understanding is correct. Do you think, I need to perform any other validation?

Thanks,
Alpesh.

0
Dimo
Telerik team
answered on 16 Dec 2016, 04:26 PM
Hi Alpesh,

kendo.aspnetmvc.min.js is used by practically all databound widgets which bind to data from an action method that uses ToDataSourceResult().

kendo.aspnetmvc.min.js defines internal Kendo UI DataSource types, namely "aspnetmvc-ajax" and "webapi". If the file is missing when needed, you will get an error like this:

http://docs.telerik.com/kendo-ui/troubleshoot/troubleshooting-common-issues#unknown-datasource-transport-type-json-warning-is-displayed

All data operations are involved - sorting, paging, filtering, grouping, aggregates. However, if server-side data operations are disabled, the DataSource will not send parameters to the server and will perform the operations on the client.

http://docs.telerik.com/aspnet-mvc/helpers/grid/binding/ajax-binding#enable-client-data-processing

Regards,
Dimo
Telerik by Progress
Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
0
Alpesh
Top achievements
Rank 1
answered on 19 Dec 2016, 06:37 AM
Hi Dimo,
      Burp is reporting the Open redirection (DOM-based) in - "kendo.aspnetmvc.min.js" into my application. I have provided the sample code of Kendo Grid below from the page where this JavaScript is used.

      Please let me know how I can alleviate this Burp issue.

      Are you doing any validation on the URL on client-side in your JavaScript? If I need to validate something on server-side, please let me know what I need to validate on server.

      We are using Kendo controls in our application. Our client has scanned our application using Burp and they are asking for resolution or remediation of this security issue asap. We have tight deadlines and we need to conclude on this asap. If this is not the official way to discuss this issue, please let me know. I am from Allscripts and we have license of Kendo. If I can open support case and get quicker response by that then please let me know. If you require web-ex call and/or screen-sharing session, I can schedule one for you. I think, we are communicating on this sine few days, but we are leading nowhere. I need to wrap this asap. Please help me on this. 

@(Html.Kendo().Grid<BusinessObject>()
 .Name("Grid")
 .Columns(columns =>
 {
 columns.Bound(o => o.Source).Title("Title").Visible(false);
 columns.Bound(o => o.Name).ClientTemplate(
 "<div class='table-responsive' id='table_patient'><table class='table'><tbody><tr><td><div class='MainItemClass'>#= Name #</div></td></tr><tr><td>#=kendo.toString(CreatedDate)# </td></tr></tbody> </table> </div> ");
 })
 .Pageable(pageable => pageable
 .Refresh(true)
 .PageSizes(true)
 .ButtonCount(5))
 .Sortable()
 .ColumnMenu()
 .Filterable()
 .ClientDetailTemplateId("childGridTemplate")
 .Editable(editable => editable.Mode(GridEditMode.PopUp))
 .DataSource(dataSource => dataSource
 .Ajax()
 .PageSize((int)ViewBag.PageSizeNo)
 .Events(events => events.Error("error_handler"))
 .Read(read => read.Action("ActionName", "ControllerName").Data("ReadRequestFromDate"))
 .Model(model => model.Id(p => p.Name))
 )
 .Events(events => events.DataBound("dataBound"))
 .Resizable(resize => resize.Columns(true))
)


Thanks,
Alpesh.
0
Accepted
Dimo
Telerik team
answered on 19 Dec 2016, 02:40 PM
Hello Alpesh,

Thanks for the follow-up and additional details.

The provided Grid declaration reveals that the widget is Ajax-bound, which means that the script that triggers the security tool warning is actually never executed.

We have received several reports about open DOM-based redirection recently. Our official position is that this should be treated as a false positive and we have documented the case here:

http://docs.telerik.com/aspnet-mvc/troubleshoot/troubleshooting#dom-based-open-redirection-issue-in-kendoaspnetmvcminjs-is-reported

My recommendation is to configure the security tool to ignore this in future tests.

We review all reports generated by automated security tools, but in this particular case, we have not found a reason for concern, and moreover, nobody has managed to produce a working exploit based on the assumed weakness in question. This is an important detail, which security analysts always provide with their reports. It ensures they're not false positives and enables us to quickly debug and address the issue.

With regard to validation, it is always a best practice to validate all submitted parameters from the client, because a malicious user can always fabricate a request that might be harmful.

Regards,
Dimo
Telerik by Progress
Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
0
Nonito
Top achievements
Rank 1
answered on 30 Dec 2020, 04:53 PM

Hi,

In our recent vulnerability scan, both were tagged for A3-Cross-Site Scripting (XSS):

kendo.dataviz.map.min.js   - location
kendo.aspnetmvc.min.js     - href, replace

 

Can you verify if this is true or is just a false positive. Thank you!

 

 

0
Nonito
Top achievements
Rank 1
answered on 30 Dec 2020, 04:59 PM

Another findings: 

kendo.dataviz.gauge.min.js - A7- Cross-Site Scripting - "text, append"
kendo.dataviz.map.min.js  - AI injection - "jsonp"

0
Plamen
Telerik team
answered on 01 Jan 2021, 07:49 AM

Hi,

We have been receiving and reviewing similar vulnerability scan reports and so far all of them appeared to be false positive. If you need to check your ones deeper please run the scan over the non-minified versions of the javascript kendo files that can be found in your Telerik account and submit a separate support ticket with them so we could  review them separately.

Regards,
Plamen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
Nonito
Top achievements
Rank 1
answered on 08 Jan 2021, 10:59 AM
We are not using the non-minified version in our application.
0
Nonito
Top achievements
Rank 1
answered on 08 Jan 2021, 12:20 PM

Hi Admin, 

Please find details on the vulnerability finding. Hopefully, I can get explanation about this. Thank you.

 

1.) kendo.dataviz.map.min.js

   Message:
The application's n.location embeds untrusted data in the generated output with location, at line 1263 of \Scripts\kendo\kendo.dataviz.map.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.


       renderTooltip: function() {
                    var e, t, n = this,
                        i = n.options.title,
                        r = n.options.tooltip || {};
                    r && c && (e = r.template, e && (t = a.template(e), r.content = function(e) {
                        return e.location = n.location(), e.marker = n, t(e)
                    }), (i || r.content || r.contentUrl) && (this.tooltip = new c(this.element, r), this.tooltip.marker = this))



2.) kendo.dataviz.map.min.js

  Message:
An explicit filename is not defined for the Content-Disposition header in line 1077 at file Source\Scripts\kendo\kendo.dataviz.map.min.js.
Filename attribute is required in order to prevent the browser from assuming the resource is an executable and download a possibly malicious file.

                _fetchMetadata: function() {
                    var t = this.options;
                    if (!t.key) throw Error("Bing tile layer: API key is required");
                    e.ajax({
                        url: t.baseUrl + t.imagerySet,
                        data: {
                            output: "json",
                            include: "ImageryProviders",
                            key: t.key,
                            uriScheme: this._scheme(window.location.protocol)
                        },
                        type: "get",
                        dataType: "jsonp",


3.) kendo.dataviz.guage.min.js

Message:

The application's s.append embeds untrusted data in the generated output with append, at line 40 of \Scripts\kendo\kendo.dataviz.gauge.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.


! function(e, define) {
    define(["./kendo.dataviz.core.min", "./kendo.drawing.min", "./kendo.dataviz.themes.min"], e)
}(function() {
    return function(e, t) {
        function n(e, t) {
            var n = e.box,
                i = e.children[0].box,
                o = t.border || {}, a = t.background || "",
                s = new A,
                l = M.fromRect(new I([n.x1, n.y1], [n.width(), n.height()]), {
                    stroke: {}
                }),
                c = new E(e.text, new D(i.x1, i.y1), {
                    font: t.font,
                    fill: {
                        color: t.color
                    }
                }),
                d = r(c.bbox().clone(), t.padding),
                u = M.fromRect(d, {
                    stroke: {
                        color: o.width ? o.color : "",
                        width: o.width,
                        dashType: o.dashType,
                        lineJoin: "round",
                        lineCap: "round"
                    },
                    fill: {
                        color: a
                    }
                });
            return s.append(l), s.append(u), s.append(c), s
        }

0
Nonito
Top achievements
Rank 1
answered on 08 Jan 2021, 12:46 PM

 

Some more here ...

kendo.dataviz.map.min.js

Message:
The potentially tainted value provided by location in I\Scripts\kendo\kendo.dataviz.map.min.js at line 1239 is used as a destination URL by location in I\Scripts\kendo\kendo.dataviz.map.min.js at line 1263, potentially allowing attackers to perform an open redirection.


  location: function(e) {
                    return e ? (this.options.location = f.create(e).toArray(), this.layer && this.layer.update(this), this) : f.create(this.options.location)
                },

kendo.router.min.js

Message:
The potentially tainted value provided by location in \Scripts\kendo\kendo.router.min.js at line 12 is used as a destination URL by replace in Scripts\kendo\kendo.router.min.js at line 60, potentially allowing attackers to perform an open redirection.

      },
                replaceLocation: function(e) {
                    f.replace(e)
        }

kendo.aspnetmvc.min.js

The potentially tainted value provided by replace in \Scripts\kendo\kendo.aspnetmvc.min.js at line 199 is used as a destination URL by href in \Scripts\kendo\kendo.aspnetmvc.min.js at line 199, potentially allowing attackers to perform an open redirection.

 read: function(t) {
                        var n, i, r = this.options.prefix,
                            o = [r + "sort", r + "page", r + "pageSize", r + "group", r + "aggregate", r + "filter"],
                            a = RegExp("(" + o.join("|") + ")=[^&]*&?", "g");
                        i = location.search.replace(a, "").replace("?", ""), i.length && !/&$/.test(i) && (i += "&"), t = this.setup(t, "read"), n = t.url, n.indexOf("?") >= 0 ? (i = i.replace(/(.*?=.*?)&/g, function(e) {
                            return n.indexOf(e.substr(0, e.indexOf("="))) >= 0 ? "" : e
                        }), n += "&" + i) : n += "?" + i, n += e.map(t.data, function(e, t) {
                            return t + "=" + e
                        }).join("&"), location.href = n

0
Plamen
Telerik team
answered on 11 Jan 2021, 02:19 PM

Hi,

Thank you for sharing the code - based on it we can tell that we have been reported similar issues yet all of them where false positive. If you want us to deeper inspect each issue please submit a support ticket with the exact files that you have scanned so we are able to once again review the warnings against all of the code and be more descripting in our answer.

Regards,
Plamen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

chuan
Top achievements
Rank 1
commented on 05 May 2023, 07:48 AM

Hi,

Can you explain the reason for the false positive? I need to inform users, thanks.

Tags
General Discussions
Asked by
Alpesh
Top achievements
Rank 1
Answers by
Dimo
Telerik team
Alpesh
Top achievements
Rank 1
Nonito
Top achievements
Rank 1
Plamen
Telerik team
Share this question
or