Fórum
Help me with my security vulnerability
Crucifix Light, modificado 7 Anos atrás.
Help me with my security vulnerability
New Member Postagens: 6 Data de Entrada: 14/07/13 Postagens Recentes
Hi,
I would like to seek help on how to resolve my challenge in my application. Our team conducted a vulnerability scan and found a XSS vulnerability. Here is what is stated.
By changing the url and injected into the "t" URL parameter (Using method GET) in
https://xxx.xxx.xxx.xxx/html/css/main.css?browserId=ie&themeId=envision_WAR_envisiontheme&languageId=en_US&b=6102&t=\">script>630046416
How can I solve this? Please point me in the right direction.
Thanks.
Note:
I am using Liferay 6.1
and Liferay is behind a proxy
I would like to seek help on how to resolve my challenge in my application. Our team conducted a vulnerability scan and found a XSS vulnerability. Here is what is stated.
By changing the url and injected into the "t" URL parameter (Using method GET) in
https://xxx.xxx.xxx.xxx/html/css/main.css?browserId=ie&themeId=envision_WAR_envisiontheme&languageId=en_US&b=6102&t=\">script>630046416
How can I solve this? Please point me in the right direction.
Thanks.
Note:
I am using Liferay 6.1
and Liferay is behind a proxy
David H Nebinger, modificado 7 Anos atrás.
RE: Help me with my security vulnerability (Resposta)
Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
There is no vulnerability here.
You're fetching a css file, the t= parameter is a timestamp value to get around caching browsers to use a new value.
This line doesn't do anything, is not exposing anything, is not storing anything on the server and is effectively a false positive.
Come meet me at the LSNA!
You're fetching a css file, the t= parameter is a timestamp value to get around caching browsers to use a new value.
This line doesn't do anything, is not exposing anything, is not storing anything on the server and is effectively a false positive.
Come meet me at the LSNA!
Crucifix Light, modificado 7 Anos atrás.
RE: Help me with my security vulnerability
New Member Postagens: 6 Data de Entrada: 14/07/13 Postagens Recentes
Thank you very much Sir.
Very much appreciated.
Very much appreciated.
David H Nebinger, modificado 7 Anos atrás.
RE: Help me with my security vulnerability
Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
Yeah, a lot of the automated scans will generate false positives; the security folks don't realize it because they won't necessarily understand Liferay.
When going through their list you have to look at the full URL and understand the context during it's processing. This one, for example, should be clear even to them - you're requesting a CSS file using an HTTP GET request; it's not going to matter what the heck they tack on there, it's not going to inject code or affect either the browser or server.
Come meet me at the LSNA!
When going through their list you have to look at the full URL and understand the context during it's processing. This one, for example, should be clear even to them - you're requesting a CSS file using an HTTP GET request; it's not going to matter what the heck they tack on there, it's not going to inject code or affect either the browser or server.
Come meet me at the LSNA!
Hugh Kelley, modificado 6 Anos atrás.
RE: Help me with my security vulnerability
New Member Mensagem: 1 Data de Entrada: 08/11/16 Postagens Recentes
Is there a vulnerability scanner that you recommend for Liferay - something without the false positives that may come from a generic tool?