Thursday, June 25, 2020

How to fix for Fortify issue Open Redirect and Cross-Site Scripting: Poor Validation (URL_ENCODE)

Below are sample fixes for Fortify issue:
Open Redirect
Cross-Site Scripting: Poor Validation (URL_ENCODE)

Replace “Sink: Assignment to window.location”:
  window.location = theUrl;

with:
  var redirectUrl = window.urlUtil.getRedirectUrl(theUrl);
  if (redirectUrl) {
    window.location = redirectUrl;
  }

Add DOMPurify to _Layout.cshtml:
<script src="~/lib/dompurify/purify.min.js"></script>

Initialise trusted sites in e.g. _Layout.cshtml or site.js:
<script>
    "use strict";

    window.app.addTrustedSite('https://www.google.com');
    window.app.addTrustedSite('https://www.microsoft.com');
</script>

Add below js to a file e.g. site.js
"use strict";

(function () {

    var appService = {
        getPublicOrigin: getPublicOrigin,
        setPublicOrigin: setPublicOrigin,

        getTrustedSites: getTrustedSites,
        addTrustedSite: addTrustedSite,
    };

    window.app = appService;

    var publicOrigin = '/';
    var trustedSites = [];

    function getPublicOrigin() {
        return publicOrigin;
    }

    function setPublicOrigin(value) {
        publicOrigin = value;
    }

    function getTrustedSites() {
        return trustedSites;
    }

    function addTrustedSite(value) {
        if (value) {
            trustedSites.push(value);
        }
    }

})();

(function () {

    var urlService = {
        getRedirectUrl: getRedirectUrl,

        isRelative: isRelative,
        isWhitelisted: isWhitelisted,
    };

    window.urlUtil = urlService;

    function getRedirectUrl(url) {
        if (isRelative(url))
            return DOMPurify.sanitize(url);

        if (isWhitelisted(url))
            return DOMPurify.sanitize(url);

        return null;
    }

    function isRelative(url) {
        return url && url.match(/^\/[^\/\\]/);
    }

    function isWhitelisted(url) {
        url = url.toLowerCase();

        var whitelist = window.app.getTrustedSites();

        var i = whitelist.length;
        while (i--) {
            if (url.startsWith(whitelist[i])) {
                return true;
            }
        }
        return false;
    }

})();
Posted by at No comments:

Tuesday, June 23, 2020

Validate the Hostname or Domain Name

JS files

1. Add below method to get exact host name. 
function extractHostname(url) {
 var host = new URL(url).hostname;
    return host;
}

2. Use above method in the issue finding.  
            var domain = 'localhost'; //add exact domain name or IP address
            var loginUrl = 'define the login Url here';
            var currentUrl = $(location).attr("href");
            var host = extractHostname(currentUrl);
            if (host === domain)
           {
                $(location).attr("href", loginUrl + "?returnurl=" + currentUrl );
            } 
           else
           {
               alert("Invalid Return URL");
            }

.CS file

        private bool IsLocalUrl(string url)
        {
            if (string.IsNullOrEmpty(url))
            {
                return false;
            }
            else
            {
                return ((url[0] == '/' && (url.Length == 1 ||
                        (url[1] != '/' && url[1] != '\\'))) ||
                        (url.Length > 1 &&
                         url[0] == '~' && url[1] == '/'));
            }
        }

     if (IsLocalUrl(strRedirectUrl))
        {
           returnUrl = strRedirectUrl
         }
Posted by at No comments:
Subscribe to: Posts (Atom)