Issue Type: Feature Request Feature Request
Affects Versions: 1.0.0.CR1
Assignee: Bruno Oliveira
Components: controller , security
Created: 12/Dec/12 6:18 AM
Description:

Currently our demos allows code injection (XSS) by malicious web users, we need to sanitize the data to void this.

Examples:

curl -d "car.brand&car.color=javascript:alert('Geez')" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/cars

curl -d "car.brand&car.color=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/cars

curl -d "car.color&car.brand=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/cars

The worst scenario:

  • Login

curl -d "aeroGearUser.password=prompt('Please enter your password','Geez')&aeroGearUser.id=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/login

curl -d "aeroGearUser.password=Abc123&aeroGearUser.id=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/login

We can do the same on registration and OTP login

  • Registration

curl -d "aeroGearUser.password=Abc123&aeroGearUser.id=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/register

  • OTP Login

curl -d "aeroGearUser.otp=%22'%3CaXliE%3E" http://controller-aerogear.rhcloud.com/aerogear-controller-demo/otp
Fix Versions: 1.0.0.CR1
Project: AeroGear
Priority: Major Major
Reporter: Bruno Oliveira
Security Level: Public (Everyone can see)
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira