[WT-10522] [Security] [ZAP-Active Scan Alert] Cross Site Scripting attack reflected on Forgot Password Page. - Workterra Jira

Details

Type: Bug
Status: Open
Priority: High
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Environment:

Stage
Bug Type:
Functional
Bug Severity:
Medium
Level:

Admin, Candidate, Employee, Partner
Module:
Platform - Security
Reported by:
Harbinger
Item State:
Development - On Hold
Issue Importance:
Must Have

Description

[Security] [ZAP-Active Scan Alert] Cross Site Scripting attack reflected on Forgot Password Page.

This alert is reflected for following URL and
URL : https://stage.workterra.net/Platform/Login/ForgotPassword
Method: POST
Parameter : SecretQuestionSecond
Attack : " onMouseOver="alert(1);
Evidence : " onMouseOver="alert(1);

URL : https://stage.workterra.net/Platform/Login/ForgotPassword
Method : POST
Parameter : SecretQuestion
Attack : " onMouseOver="alert(1);
Evidence : " onMouseOver="alert(1);

Testing is done on stage however issue might be present on production too.
Please refer attached HTML report - point no 1 for more details.

CC : Rakesh Roy Hrishikesh Deshpande Sachin Hingole Samir Vijayendra Shinde Vijay Siddha Bharti Satpute Gaurav Sodani Nidhi Kaul

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Employee_ActiveScan_Stage_9Aug2017.html
24 kB
09/Aug/17 11:10 AM

Issue Links

relates to

NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.

To Do

Activity

Ascending order - Click to sort in descending order

Prasad Pise (Inactive) created issue - 09/Aug/17 11:14 AM

Prasad Pise (Inactive) made changes - 09/Aug/17 11:21 AM

Field	Original Value	New Value
Link		This issue relates to NF-2714 [ NF-2714 ]

Satya made changes - 07/Sep/17 12:09 PM

Assignee

Satya [ ID10004 ]

Jaideep Vinchurkar [ jaideep.vinchurkar ]

Jaideep Vinchurkar (Inactive) made changes - 08/Sep/17 11:55 AM

Assignee

Jaideep Vinchurkar [ jaideep.vinchurkar ]

Aditya Vishwakarma [ aditya.vishwakarma ]

Gaurav Sodani (Inactive) made changes - 08/Sep/17 06:51 PM

Sprint

WT Sprint 37 - Bugs [ 87 ]

Jaideep Vinchurkar (Inactive) made changes - 13/Sep/17 12:30 PM

Dev Due Date

20/Sep/2017

Jaideep Vinchurkar (Inactive) made changes - 22/Sep/17 09:31 AM

Item State

Parent values: Development(10200)Level 1 values: On Hold(10207)

Jaideep Vinchurkar (Inactive) made changes - 22/Sep/17 09:32 AM

Dev Due Date

20/Sep/2017

Gaurav Sodani (Inactive) made changes - 25/Sep/17 06:33 AM

Sprint

WT Sprint 37 - Bugs [ 87 ]

Satya made changes - 04/Nov/17 06:31 AM

Environment_New

Stage [ 18443 ]

Aditya Vishwakarma (Inactive) made changes - 22/Dec/17 12:18 PM

Assignee

Aditya Vishwakarma [ aditya.vishwakarma ]

Santosh Balid [ santosh.balid ]

Hide

Permalink

Santosh Balid (Inactive) added a comment - 16/Jan/18 01:21 PM

Please plan it in future sprints.

Cc : Satya, Jaideep Vinchurkar, Bharti Satpute

Show

Santosh Balid (Inactive) added a comment - 16/Jan/18 01:21 PM Please plan it in future sprints. Cc : Satya , Jaideep Vinchurkar , Bharti Satpute

Santosh Balid (Inactive) made changes - 16/Jan/18 01:21 PM

Assignee

Santosh Balid [ santosh.balid ]

Gaurav Sodani [ gaurav.sodani ]

Vijayendra Shinde (Inactive) made changes - 04/Apr/18 05:24 AM

Assignee

Gaurav Sodani [ gaurav.sodani ]

Vijayendra Shinde [ ID10506 ]

Vijayendra Shinde (Inactive) made changes - 15/Dec/20 02:53 AM

Link

This issue relates to DEV-13718 [ DEV-13718 ]

People

Assignee:: Vijayendra Shinde (Inactive)

Reporter:: Prasad Pise (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 09/Aug/17 11:14 AM

Updated:: 15/Dec/20 02:53 AM

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified