Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2819

Origins should be verified during cross-origin communications

    XMLWordPrintable

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Verify the message's origin in this cross-origin communication.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way, Sonar way recommended
    • Covered Languages:
      JavaScript
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • CWE:
      CWE-345
    • OWASP:
      A3

      Description

      Browsers allow message exchanges between Window objects of different origins.
      Because any window can send / receive messages from other window it is important to verify the sender's / receiver's identity:

      • When sending message with postMessage method, the identity's receiver should be defined (the wildcard keyword (*) should not be used).
      • When receiving message with message event, the sender's identity should be verified using the origin and possibly source properties.

      Noncompliant Code Example

      When sending message:

      var iframe = document.getElementById("testiframe");
      iframe.contentWindow.postMessage("secret", "*"); // Noncompliant: * is used
      

      When receiving message:

      window.addEventListener("message", function(event) { // Noncompliant: no checks are done on the origin property.
            console.log(event.data);
       }); 
      

      Compliant Solution

      When sending message:

      var iframe = document.getElementById("testsecureiframe");
      iframe.contentWindow.postMessage("hello", "https://secure.example.com"); // Compliant
      

      When receiving message:

      window.addEventListener("message", function(event) {
          
        if (event.origin !== "http://example.org") // Compliant
          return;
            
        console.log(event.data)
      }); 
      

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            ann.campbell.2 Ann Campbell
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: