XSS vulnerability fix (powered by Mobb) by eitanMobb · Pull Request #28 · eitanMobb/WebGoat

eitanMobb · 2024-11-07T17:45:07Z

This change fixes a high severity (🚩) XSS issue reported by Checkmarx.

Issue description

Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to theft of session cookies, redirection to malicious websites, or defacement of the webpage.

Fix instructions

Implement input validation and output encoding. This includes sanitizing user input and escaping special characters to prevent execution of injected scripts.

Additional actions required

We use dompurify package to sanitize user input. Please make sure you add the latest dompurify to your package.json file. For TypeScript users, consider adding @types/dompurify to your package.json as well

More info and fix customization are available in the Mobb platform

eitanMobb · 2024-11-07T17:47:34Z

Checkmarx One – Scan Summary & Details – 632b26bb-d082-442c-9f2b-d2376605f92d

New Issues

Issue	Source File / Package	Checkmarx Insight
CVE-2013-7285	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21342	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21344	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21345	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21346	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21347	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21350	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21351	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2022-1471	Maven-org.yaml:snakeyaml-1.33	Vulnerable Package
CVE-2024-31573	Maven-org.xmlunit:xmlunit-core-2.9.1	Vulnerable Package
CVE-2024-38821	Maven-org.springframework.security:spring-security-web-6.1.5	Vulnerable Package
CVE-2016-10707	Npm-jquery-1.10.2	Vulnerable Package
CVE-2016-10707	Npm-jquery-2.1.4	Vulnerable Package
CVE-2016-3674	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2017-7957	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2020-26217	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2020-26258	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21341	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21343	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21348	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21349	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-29505	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39139	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39141	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39144	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39145	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39146	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39147	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39148	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39149	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39150	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39151	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39152	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39153	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39154	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-43859	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2022-40151	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2022-40152	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2022-41966	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2023-1973	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2023-1973	Maven-io.undertow:undertow-servlet-2.3.10.Final	Vulnerable Package
CVE-2023-24998	Maven-commons-fileupload:commons-fileupload-1.4	Vulnerable Package
CVE-2023-34053	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2023-38286	Maven-org.thymeleaf:thymeleaf-3.1.1.RELEASE	Vulnerable Package
CVE-2023-51775	Maven-org.bitbucket.b_c:jose4j-0.9.3	Vulnerable Package
CVE-2023-52428	Maven-com.nimbusds:nimbus-jose-jwt-9.24.4	Vulnerable Package
CVE-2023-5379	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2023-5685	Maven-org.jboss.xnio:xnio-api-3.8.8.Final	Vulnerable Package
CVE-2023-6378	Maven-ch.qos.logback:logback-classic-1.4.11	Vulnerable Package
CVE-2023-6378	Maven-ch.qos.logback:logback-core-1.4.11	Vulnerable Package
CVE-2023-6481	Maven-ch.qos.logback:logback-core-1.4.11	Vulnerable Package
CVE-2024-1635	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2024-22201	Maven-org.eclipse.jetty.http2:http2-common-11.0.17	Vulnerable Package
CVE-2024-22234	Maven-org.springframework.security:spring-security-core-6.1.5	Vulnerable Package
CVE-2024-22234	Maven-org.springframework.security:spring-security-web-6.1.5	Vulnerable Package
CVE-2024-22234	Maven-org.springframework.security:spring-security-oauth2-client-6.1.5	Vulnerable Package
CVE-2024-22243	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2024-22257	Maven-org.springframework.security:spring-security-core-6.1.5	Vulnerable Package
CVE-2024-22259	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2024-22262	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2024-38809	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2024-38816	Maven-org.springframework:spring-webmvc-6.0.13	Vulnerable Package
CVE-2024-5971	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2024-6162	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2024-7885	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
Missing User Instruction	/Dockerfile_desktop: 1	A user should be specified in the dockerfile, otherwise the image will run as root
Apt Get Install Pin Version Not Defined	/Dockerfile_desktop: 12	When installing a package, its pin version should be defined
Apt Get Install Pin Version Not Defined	/Dockerfile_desktop: 12	When installing a package, its pin version should be defined
CVE-2015-9251	Npm-jquery-1.10.2	Vulnerable Package
CVE-2015-9251	Npm-jquery-2.1.4	Vulnerable Package
CVE-2016-7103	Npm-jquery-ui-1.10.4	Vulnerable Package
CVE-2019-11358	Npm-jquery-1.10.2	Vulnerable Package
CVE-2019-11358	Npm-jquery-2.1.4	Vulnerable Package
CVE-2020-11022	Npm-jquery-1.10.2	Vulnerable Package
CVE-2020-11022	Npm-jquery-2.1.4	Vulnerable Package
CVE-2020-11022	Npm-jquery-3.4.1	Vulnerable Package
CVE-2020-11023	Npm-jquery-1.10.2	Vulnerable Package
CVE-2020-11023	Npm-jquery-2.1.4	Vulnerable Package
CVE-2020-11023	Npm-jquery-3.4.1	Vulnerable Package
CVE-2020-26259	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39140	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-41182	Npm-jquery-ui-1.10.4	Vulnerable Package
CVE-2021-41183	Npm-jquery-ui-1.10.4	Vulnerable Package
CVE-2021-41184	Npm-jquery-ui-1.10.4	Vulnerable Package
CVE-2022-31160	Npm-jquery-ui-1.10.4	Vulnerable Package
CVE-2023-34055	Maven-org.springframework.boot:spring-boot-actuator-3.1.5	Vulnerable Package
CVE-2023-41329	Maven-com.github.tomakehurst:wiremock-3.0.0-beta-2	Vulnerable Package
CVE-2023-51074	Maven-com.jayway.jsonpath:json-path-2.8.0	Vulnerable Package
CVE-2024-1459	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2024-3653	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2024-3653	Maven-io.undertow:undertow-servlet-2.3.10.Final	Vulnerable Package
CVE-2024-38820	Maven-org.springframework:spring-webmvc-6.0.13	Vulnerable Package
CVE-2024-38820	Maven-org.springframework:spring-core-6.0.13	Vulnerable Package
CVE-2024-38820	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2024-38820	Maven-org.springframework:spring-context-6.0.13	Vulnerable Package
CVE-2024-6531	Maven-org.webjars:bootstrap-5.3.2	Vulnerable Package
CVE-2024-8184	Maven-org.eclipse.jetty:jetty-server-11.0.17	Vulnerable Package
CVE-2024-9823	Maven-org.eclipse.jetty:jetty-servlets-11.0.17	Vulnerable Package
Cxf0b588a3-5c6f	Npm-jquery-2.1.4	Vulnerable Package
Cxf0b588a3-5c6f	Npm-jquery-1.10.2	Vulnerable Package
Parameter_Tampering	/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java: 54	Attack Vector
Parameter_Tampering	/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java: 54	Attack Vector
Parameter_Tampering	/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java: 60	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java: 89	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java: 76	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java: 62	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java: 62	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java: 54	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java: 42	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java: 35	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdminTest.java: 26	Attack Vector
CVE-2024-6762	Maven-org.eclipse.jetty:jetty-servlets-11.0.17	Vulnerable Package
CVE-2024-6763	Maven-org.eclipse.jetty:jetty-server-11.0.17	Vulnerable Package
CVE-2024-6763	Maven-org.eclipse.jetty:jetty-http-11.0.17	Vulnerable Package
Chown Flag Exists	/Dockerfile: 12	It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only e...
Healthcheck Instruction Missing	/Dockerfile_desktop: 1	Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Healthcheck Instruction Missing	/Dockerfile: 1	Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Heap_Inspection	/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java: 38	Attack Vector
Heap_Inspection	/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java: 27	Attack Vector
Unpinned Actions Full Length Commit SHA	/release.yml: 43	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 77	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 104	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/test.yml: 64	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/test.yml: 45	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/pre-commit.yaml: 28	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 145	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 137	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/test.yml: 56	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/pre-commit.yaml: 26	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 82	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 85	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 91	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

Fixed Issues

Severity	Issue	Source File / Package
	SQL_Injection	/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java: 44
	SQL_Injection	/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java: 44
	Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java: 57
	Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java: 57
	Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java: 57
	Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java: 57

mobb fix commit: eaa01f4f-1bb6-44f8-aace-9e6d7410eb4e

45e4f47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

XSS vulnerability fix (powered by Mobb)#28

XSS vulnerability fix (powered by Mobb)#28
eitanMobb wants to merge 1 commit intomainfrom
Mobb-fix-d11ec7e420

eitanMobb commented Nov 7, 2024

Uh oh!

eitanMobb commented Nov 7, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Comments

Conversation

eitanMobb commented Nov 7, 2024

Issue description

Fix instructions

Additional actions required

Uh oh!

eitanMobb commented Nov 7, 2024

New Issues

Fixed Issues

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant