Skip to content

Restore A9 vulnerability #206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lirantal merged 1 commit into from
Aug 8, 2020
Merged

Restore A9 vulnerability #206

lirantal merged 1 commit into from
Aug 8, 2020

Conversation

@rcowsill
Copy link
Contributor

@rcowsill rcowsill commented Aug 5, 2020

The A9 - Insecure Components example requires [email protected]; that's the newest version affected by the XSS described in the tutorial. After A9 was implemented the package.json got updated to use [email protected], and that stopped the example exploit from working.

This changes the package.json to specify [email protected] so the tutorial example works as expected.

Fixes #199

@rcowsill
Restore A9 vulnerability
4eb6a46 
The "A9 Insecure Components" example requires [email protected]; that's the newest version affected by the XSS described in the tutorial
@lirantal lirantal self-assigned this Aug 5, 2020
@lirantal lirantal self-requested a review August 5, 2020 21:27
@lirantal lirantal assigned rcowsill and unassigned lirantal Aug 5, 2020
@lirantal
Copy link
Collaborator

lirantal commented Aug 5, 2020

Good catch! 👏

@lirantal
Copy link
Collaborator

lirantal commented Aug 6, 2020

@UlisesGascon do you know anything about flakiness of tests?
the signup tests fail here on this PR and also on master on changes that are unrelated it seems.

@lirantal lirantal requested a review from UlisesGascon August 6, 2020 08:22
UlisesGascon
UlisesGascon approved these changes Aug 6, 2020
View reviewed changes
Copy link
Collaborator

@UlisesGascon UlisesGascon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍

@UlisesGascon
Copy link
Collaborator

UlisesGascon commented Aug 6, 2020

Yeah @lirantal seems like there are some issues with the timeouts in the Cypress flow. I will re-run the test for now, but I will tweak the Cypress setup soon :)

@lirantal
Copy link
Collaborator

lirantal commented Aug 6, 2020

Cool, thanks!

@rcowsill
Copy link
Contributor Author

rcowsill commented Aug 6, 2020

Speaking of tests, I was considering adding one to verify that the A9 vulnerability is present.

It's basically the Should memo be generated (memos_spec.js) test, but using the XSS payload from the A9 tutorial. It checks that the expected link exists has the correct text/href. I tried it locally and it passes on [email protected] and fails on [email protected]. Would you like that adding to this pull request?

@lirantal
Copy link
Collaborator

lirantal commented Aug 8, 2020

@rcowsill yeah that would be a great idea. let me merge this one PR so we don't hold up on it and you can send a new one with the test.

@lirantal lirantal merged commit b2afffd into OWASP:feature/187 Aug 8, 2020
@rcowsill
Copy link
Contributor Author

rcowsill commented Aug 8, 2020

Great! I'll look into adding the test sometime this weekend.

@rcowsill rcowsill mentioned this pull request Aug 8, 2020
Closed
@rcowsill rcowsill deleted the fix/restore-a9 branch August 9, 2020 16:13
@rcowsill rcowsill mentioned this pull request Aug 9, 2020
Merged
@lirantal lirantal mentioned this pull request Mar 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lirantal lirantal lirantal approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

Assignees

@rcowsill rcowsill

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rcowsill @lirantal @UlisesGascon