Security issue - "Open redirection (DOM-based)" in "kendo.aspnetmvc.min.js"

6 posts, 1 answers
  1. Alpesh
    Alpesh avatar
    3 posts
    Member since:
    Jun 2015

    Posted 02 Dec 2016 Link to this post

    Hi,

        I am using Kendo UI  controls for my MVC application. I am using "kendo.aspnetmvc.min.js" on my ASP.NET view.When my application is tested for Security issues by Burp(https://portswigger.net/burp/), the issue - "Open redirection (DOM-based)"  is reported into the kendo.aspnetmvc.min.js". The issue is reported because this js manipulates the URL as shown below. Please help me how we can resolve this security issue.

     

    ;i=location.search.replace(a,"").replace("?",""),i.length&&!/&$/.test(i)&&(i+="&"),t=this.setup(t,"read"),n=t.url,n.indexOf("?")>=0?(i=i.replace(/(.*?=.*?)&/g,function(e){return n.indexOf(e.substr(0,e.indexOf("=")))>=0?"":e}),n+="&"+i):n+="?"+i,n+=e.map(t.data,function(e,t){return t+"="+e}).join("&"),location.href=n

     

    Thanks,

    Alpesh.

    (alpesh.chavda@allscripts.com)

  2. Dimo
    Admin
    Dimo avatar
    8407 posts

    Posted 05 Dec 2016 Link to this post

    Hello Alpesh,

    The relevant part of our source code is used when a Kendo UI Grid widget is server-bound, and data operations (paging, sorting, etc) reload the whole web page. The code takes the query string portion of the current URL, manipulates some of the parameter values (e.g. the page number) and sets it as a new location.href. So, in standard scenarios, the same page will be loaded, but with different query string parameters (which should be subject to server-side validation as a best practice anyway). In theory, it is possible to configure a different URL rather than the current page in the Grid DataSource settings, however, this is under developer control. If the configured URL is changed by a third party, this means that the application is already compromised.

    In conclusion, we do not see any justifiable reason for concern and you can mark this as a false positive. Let me know if you can think of an exception to this statement.

    Regards,
    Dimo
    Telerik by Progress
    Telerik UI for ASP.NET MVC is ready for Visual Studio 2017 RC! Learn more.
  3. Alpesh
    Alpesh avatar
    3 posts
    Member since:
    Jun 2015

    Posted 16 Dec 2016 in reply to Dimo Link to this post

    Hi Dimo,
        Is "kendo.aspnetmvc.min.js" used by Kendo Grid contol only or other Kendo controls are also using this javascript? Is Kendo Grid control using "kendo.aspnetmvc.min.js" only for Paging and sorting?

        I checked the behavior of the Kendo Grid control in my application. As per my observation, when I used paging and sorting functionality, the AJAX "Post" request is being sent with the page number, page size and sort field parameters(it is not sending the "GET" request with page no and other parameters). On the server-side into the Controller, the object-"DataSourceRequest request" contains these values and they are used into the code to return appropriate data to the view. The URL is not at all getting changed here because "POST" request is being sent to the URL. Please confirm that my observation is correct.

        If above understanding is correct, I just need to validate the values - page number, page size and sort field which are sent into the "POST" request(whether they contain valid values). Please confirm that my understanding is correct. Do you think, I need to perform any other validation?

    Thanks,
    Alpesh.

  4. Dimo
    Admin
    Dimo avatar
    8407 posts

    Posted 16 Dec 2016 Link to this post

    Hi Alpesh,

    kendo.aspnetmvc.min.js is used by practically all databound widgets which bind to data from an action method that uses ToDataSourceResult().

    kendo.aspnetmvc.min.js defines internal Kendo UI DataSource types, namely "aspnetmvc-ajax" and "webapi". If the file is missing when needed, you will get an error like this:

    http://docs.telerik.com/kendo-ui/troubleshoot/troubleshooting-common-issues#unknown-datasource-transport-type-json-warning-is-displayed

    All data operations are involved - sorting, paging, filtering, grouping, aggregates. However, if server-side data operations are disabled, the DataSource will not send parameters to the server and will perform the operations on the client.

    http://docs.telerik.com/aspnet-mvc/helpers/grid/binding/ajax-binding#enable-client-data-processing

    Regards,
    Dimo
    Telerik by Progress
    Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
  5. Alpesh
    Alpesh avatar
    3 posts
    Member since:
    Jun 2015

    Posted 19 Dec 2016 in reply to Dimo Link to this post

    Hi Dimo,
          Burp is reporting the Open redirection (DOM-based) in - "kendo.aspnetmvc.min.js" into my application. I have provided the sample code of Kendo Grid below from the page where this JavaScript is used.

          Please let me know how I can alleviate this Burp issue.

          Are you doing any validation on the URL on client-side in your JavaScript? If I need to validate something on server-side, please let me know what I need to validate on server.

          We are using Kendo controls in our application. Our client has scanned our application using Burp and they are asking for resolution or remediation of this security issue asap. We have tight deadlines and we need to conclude on this asap. If this is not the official way to discuss this issue, please let me know. I am from Allscripts and we have license of Kendo. If I can open support case and get quicker response by that then please let me know. If you require web-ex call and/or screen-sharing session, I can schedule one for you. I think, we are communicating on this sine few days, but we are leading nowhere. I need to wrap this asap. Please help me on this. 

    @(Html.Kendo().Grid<BusinessObject>()
     .Name("Grid")
     .Columns(columns =>
     {
     columns.Bound(o => o.Source).Title("Title").Visible(false);
     columns.Bound(o => o.Name).ClientTemplate(
     "<div class='table-responsive' id='table_patient'><table class='table'><tbody><tr><td><div class='MainItemClass'>#= Name #</div></td></tr><tr><td>#=kendo.toString(CreatedDate)# </td></tr></tbody> </table> </div> ");
     })
     .Pageable(pageable => pageable
     .Refresh(true)
     .PageSizes(true)
     .ButtonCount(5))
     .Sortable()
     .ColumnMenu()
     .Filterable()
     .ClientDetailTemplateId("childGridTemplate")
     .Editable(editable => editable.Mode(GridEditMode.PopUp))
     .DataSource(dataSource => dataSource
     .Ajax()
     .PageSize((int)ViewBag.PageSizeNo)
     .Events(events => events.Error("error_handler"))
     .Read(read => read.Action("ActionName", "ControllerName").Data("ReadRequestFromDate"))
     .Model(model => model.Id(p => p.Name))
     )
     .Events(events => events.DataBound("dataBound"))
     .Resizable(resize => resize.Columns(true))
    )


    Thanks,
    Alpesh.
  6. Answer
    Dimo
    Admin
    Dimo avatar
    8407 posts

    Posted 19 Dec 2016 Link to this post

    Hello Alpesh,

    Thanks for the follow-up and additional details.

    The provided Grid declaration reveals that the widget is Ajax-bound, which means that the script that triggers the security tool warning is actually never executed.

    We have received several reports about open DOM-based redirection recently. Our official position is that this should be treated as a false positive and we have documented the case here:

    http://docs.telerik.com/aspnet-mvc/troubleshoot/troubleshooting#dom-based-open-redirection-issue-in-kendoaspnetmvcminjs-is-reported

    My recommendation is to configure the security tool to ignore this in future tests.

    We review all reports generated by automated security tools, but in this particular case, we have not found a reason for concern, and moreover, nobody has managed to produce a working exploit based on the assumed weakness in question. This is an important detail, which security analysts always provide with their reports. It ensures they're not false positives and enables us to quickly debug and address the issue.

    With regard to validation, it is always a best practice to validate all submitted parameters from the client, because a malicious user can always fabricate a request that might be harmful.

    Regards,
    Dimo
    Telerik by Progress
    Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
Back to Top