[
https://issues.apache.org/jira/browse/CB-11900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
jcesarmobile closed CB-11900.
-----------------------------
InAppBroser should only be used to display external sites, it shouldn't be used
to rely on it to submit forms to a server.
In any case, the data validation should be done on the server, not by Cordova.
InAppBrowser is not restricted by the whitelist and won't be (as stated on the
documentation)
> Cordova security vulnerability: Insufficint input validations
> -------------------------------------------------------------
>
> Key: CB-11900
> URL: https://issues.apache.org/jira/browse/CB-11900
> Project: Apache Cordova
> Issue Type: Bug
> Components: CordovaJS
> Reporter: Ajay Gupta
> Assignee: jcesarmobile
>
> In a recent veracode scan of the mobile application, we found a medium
> vulnerability:
> Insufficient Input validation
> Description:
> Weaknesses in this category are related to an absent or incorrect protection
> mechanism that fails to properly validate input that can affect the control
> flow or data flow to a program.
> Recommendations
> Validate input from untrusted sources before it is used.
> Associated flaws by CWE ID:
> URL redirection to untrusted sitte ('open redirect') (CWE ID 601)
> Description
> A web application accepts a user-controlled input that specifies a link to an
> external site and uses that link to generate a redirect. This enables
> phishing attack.
> Recommendation is to always validate user-supplied input to ensure it
> confirms to the expected format, using centralized data validation routines
> when possible. Check the supplied URL against a whitelist of approved URLs
> or domains before redirecting.
> InAppBrowser.java: 447 and 449
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
