Protect against XSS

Benjamin_Joyce 2017-02-01 23:35:25 UTC #1

Hi, I set off some Cross Site Scripting security issues at my company by using appium. Is there anything that can be done to prevent that? I'm not much of a security expert and the security team here said I'd have to take it up with the developers to get it resolved.

Telmo_Cardoso 2017-02-02 09:31:50 UTC #2

Can you elaborate on that...

Benjamin_Joyce 2017-02-02 19:51:13 UTC #3

They said "The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site."

"To verify this vulnerability, it is often required to do a raw HTTP(s) request. Using curl/wget or your browser you probably won't be able to reproduce the vulnerability due to automatic encoding of those tools. A raw request can be issued using either nc (netcat) or openssl."

Benjamin_Joyce 2017-04-21 00:53:39 UTC #4

A solution given by someone at my company was "Can we convince appium to open the server port just for localhost (so it's not visible outside). This would solve the problem." Is there a way to do that or make it optional?

Benjamin_Joyce 2017-05-17 18:29:43 UTC #5

Any update on this issue?

Benjamin_Joyce 2017-06-01 18:06:04 UTC #6

I think I resolved this issue by setting --address to 127.0.0.1 so this can be closed. I don't see a close option for this thread?