Description

Technical information is obtained from the application due to the use of the alert() function (javascript) whose output will always be displayed on the client side. In development environment it is acceptable to use this function to see errors, but using it in production environment is the same as exposing yourself to show sensitive information of the application.

Impact

Open the browser console and send real and fake requests to the application, waiting for it to display console information.

Recommendation

Completely remove the console.log(), alert() function from all javascript files in production environments.

Threat

Anonymous user from the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

• Attack vector: N
• Attack complexity: H
• Privileges required: L
• User interaction: N
• Scope: U
• Confidentiality: L
• Integrity: N
• Availability: N

Temporal

• Exploit code maturity: P
• Remediation level: O
• Report confidence: X

Result

• Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:X
• Score:
• Base: 3.1
• Temporal: 2.8
• Severity:
• Base: Low
• Temporal: Low

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Result 4.0

• Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
• Score:
• CVSS-BT: 1.3
• Severity:
• CVSS-BT: Low

Compliant code

All debugging functions in the code are replaced with proper functionality to handle exceptions and errors

                app.post('/editProfile', isLoggedIn, function(req, res, next){
  User.update({ _id: req.user.id}, req.body, function(err, user){
    const isDataValid = validateData(req.body.data)
    if isDataValid{
      user.email = req.body.data.emailEdit;
      user.first_name = req.body.data.first_nameEdit;
      user.last_name = req.body.data.last_nameEdit;
      user.username = req.body.data.usernameEdit;
      res.redirect('/profile/');
    }else{
      //Code to handle the wrong data without exposing the system
    }
  }
});

            

Non compliant code

The application includes common debugging functions in the production code

                app.post('/editProfile', isLoggedIn, function(req, res, next){
  User.update({ _id: req.user.id}, req.body, function(err, user){
    const isDataValid = validateData(req.body.data)
    if isDataValid{
      user.email = req.body.data.emailEdit;
      user.first_name = req.body.data.first_nameEdit;
      user.last_name = req.body.data.last_nameEdit;
      user.username = req.body.data.usernameEdit;
      res.redirect('/profile/');
    }else{
      //Insecure function used
      alert("Data is not valid");
    }
  }
});

            

Requirements

• 077.Avoid disclosing technical information
• 176.Restrict system objects

Fixes

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.