Rank 1
Hi,
we test our kendo based application with ZAP security scanner Tools. It reports one high security risk caused on kendo.all.min.js file.
Description
Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.
URL
https://service.cboxcloud.com/api/kendo/kendo.all.min.js;sleep%20%7B0%7Ds;
Parameter
kendo.all.min.js
Attack
kendo.all.min.js;sleep {0}s;
Solution
If at all possible, use library calls rather than external processes to recreate the desired functionality.
Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software....
Does anyone know how to reduce or or eliminate this risk?
1 Answer, 1 is accepted
Thank you for the feedback.
In order to investigate your report properly, we will need more information. Please do the following:
- download the Kendo UI source code from Your Account
http://screencast.com/t/y38boBXsF
- test with the non-minified kendo.all.js script file
- specify on which line in the JS file the issue is reported to exist and paste the line content here
- describe a valid use case that can be exploited
Based on our experience, almost all security risk reports that we receive are false positives, for example, we cannot think of any "operating system commands" that we are building in our JavaScript code. Nevertheless, we will readily review your updated report. Thank you in advance.
Regards,
Dimo
Telerik by Progress