Skip to main content

Technical information leak - Alert

Description

Technical information is obtained from the application due to the use of the alert() function (javascript) whose output will always be displayed on the client side. In development environment it is acceptable to use this function to see errors, but using it in production environment is the same as exposing yourself to show sensitive information of the application.

Impact

Open the browser console and send real and fake requests to the application, waiting for it to display console information.

Recommendation

Completely remove the console.log(), alert() function from all javascript files in production environments.

Threat

Anonymous user from the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:X
  • Score:
    • Base: 3.1
    • Temporal: 2.8
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

All debugging functions in the code are replaced with proper functionality to handle exceptions and errors

app.post('/editProfile', isLoggedIn, function(req, res, next){
User.update({ _id: req.user.id}, req.body, function(err, user){
const isDataValid = validateData(req.body.data)
if isDataValid{
user.email = req.body.data.emailEdit;
user.first_name = req.body.data.first_nameEdit;
user.last_name = req.body.data.last_nameEdit;
user.username = req.body.data.usernameEdit;
res.redirect('/profile/');
}else{
//Code to handle the wrong data without exposing the system
}
}
});

Non compliant code

The application includes common debugging functions in the production code

app.post('/editProfile', isLoggedIn, function(req, res, next){
User.update({ _id: req.user.id}, req.body, function(err, user){
const isDataValid = validateData(req.body.data)
if isDataValid{
user.email = req.body.data.emailEdit;
user.first_name = req.body.data.first_nameEdit;
user.last_name = req.body.data.last_nameEdit;
user.username = req.body.data.usernameEdit;
res.redirect('/profile/');
}else{
//Insecure function used
alert("Data is not valid");
}
}
});

Requirements