• State Suggested Answer
  • Replies reply
    1
  • Answers answer
    1
  • Subscribers subscribers
    18
  • Views views
    678
  • Users 0 members are here
Related
Options

Sanitizing an object to satisfy Cross-site Scripting Content sniffing

Sergio Rodriguez

I have Fortify ssc scanning my java spring boot project. I have a simple controller that returns an object from the database. 

 @PostMapping("getMyItems")
  public Item getMyItems(@RequestBody int itemids, HttpServletRequest request)
  {
    return itemService.getMyItems(itemids, request);
  }
and Item is a class with 3 strings and an int as attributes. All 3 strings are being sanitized (html encoded) by an apache library. I've tried other libraries as well and fortify still 
considers this a vulnerability. Is this normal, or am I doing something wrong? 
Further information: 
The example above appears as a Medium criticality vulnerability. I had the same vulnerability appear on the Critical category except they were simple Strings being returned to the 
user. Once I sanitized those strings with the apache library, fortify would mark those vulnerabilities as resolved. So clearly this is the solution to XSS content sniffing, but for some reason
fortify does not recognize when an object is sanitized. Am I correct to assume this?  

  • Suggested Answer

    0

    If it were me I would use "Diagram" in the Auditworkbench.

    Follow the taint flow (if any) leading to the sink. The thing is IF the return if from a DB then Fortify will likely give is DATABASE and possible XSS if the return value flows into another sink. So if you are sure your DB access can never return some XSS type string (and realistically you cannot be?) then you could add a new custom rule where return value of getMyItems is considered VALIDATED_XSS and whatever other validity you need. Again, use AuditWorkbench to create the rule.

    Better to make a brief repro - test your sanitizer, then apply to the wider project. That way you also have either something you can ask here, or provide to MicroFocus for their support teams to look at.

Resources

Support
Documentation
Learning Services
CyberRes Academy
Partner Programs
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Conduct
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.