Giters

18F / analytics.usa.gov

The US federal government's web traffic.

Home Page:https://analytics.usa.gov

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

DAP: DOM-based vulnerability in DAP code (reported by NMB) research

MaroyaF opened this issue · comments

commented

The DAP javascript code (from Cardinal Path) is causing government websites that include it to get flagged by vulnerability scanners. The issue that's flagged is for an open redirect vulnerability, described here: https://cwe.mitre.org/data/definitions/601.html

Look into the vulnerability and see if there's a way to resolve it or provide documentation about it being a false positive to the agency that flagged the issue.

commented

Update: The source of the issue is that the DAP JavaScript references location.href multiple times throughout the code, which includes the current page URL and also the query parameters from the URL. (DAP does this in order to record the URL and parameters for analytics data). DAP then sends this URL with querystring to Google Analytics in a network request.

Example URL:
https://gsa.gov?url=http://badguy-site.com

The querystring ?url=http://badguy-site.com is included in the location.href (even though this value means nothing to the site in the example).

The vulnerability is that if a malicious person provided a link to the example URL above, then a user who sees a trusted gsa.gov domain may click it. Upon loading the example gsa.gov page, JavaScript on the site which references the querystring and then uses it in a network request, may possibly redirect the user's browser to the malicious URL provided in the querystring.

Since DAP JavaScript references location.href, which includes the querystring, it is being flagged as possibly vulnerable to this exploit. However, since the DAP JavaScript does not perform any redirects, this is a false positive. A scanner is noting that the full page URL with querystring for the site is being sent in a network request (to Google Analytics) and flagging it as a possible redirect.

The vulnerability, in general, is unlikely to be exploited because it requires specific redirection logic to be included in the site's JavaScript. This low likelihood of exploit is noted in the CWE

In order to stop the scanner from flagging the vulnerability, the DAP code could remove references to location.href, and instead use location.hostname and location.pathname that can access the page URL without the querystring. However, doing so will also remove information that is important to record from the querystring (like search terms) from DAP analytics data for all sites in the DAP program.