1

I am currently researching at some webapplication vulnerabilities especially client-side vulnerabilities like XSS. I have already read some topics about this issue. They said it was possible to inject malicious code inside XHTML.

But I would like to know how the current situation is like? Is it still possible to use XSS for attacking the Vaadin framework? Could anyone give some code example for a simple vulnerability?

In case Vaadin is not vulnerable against XSS anymore - what would be (theoretically) a way to use a client-side vulnerability?

Anders
  • 64,406
  • 24
  • 178
  • 215
Nazar Medeiros
  • 161
  • 8
  • It appears it could be possible depending on the specific implementation of the system, because the docco advices to sanitize: https://vaadin.com/docs/-/part/framework/advanced/advanced-security.html – SilverlightFox Sep 21 '16 at 14:27

1 Answers1

1

Ok, I found some interesting information about this issue:

Vaadin has built-in protection against cross-site scripting (xss) attacks. Vaadin converts all data to use HTML entities before the data is rendered in the user's browser. You can explicitly allow HTML content in Vaadin components, in which case your application needs to ensure that the data does not contain XSS payloads. (official vaadin documentation)

So I tested some components for an XSS-Attack and behold... allowing HTML-content makes some components like Label,Tooltipand Notifications vulnerable against XSS-Attacks.

I have a sample code:

Label mainLabel = new Label("<IFRAME SRC=\"javascript:alert('XSS11');\"></IFRAME>");
mainLabel.setContentMode(ContentMode.HTML);
addComponent(mainLabel);
Anders
  • 64,406
  • 24
  • 178
  • 215
Nazar Medeiros
  • 161
  • 8
  • Please only write answers in the answers. I have edited out the question from the answer. If you have more questions, ask new ones as I see you already did. – Anders Nov 22 '16 at 18:53