Vulnerbilities found from VAPT scan

Question

Vulnerbilities found from VAPT scan

sandycja opened this issue 3 years ago · comments

Hi, I have one project webAR project with artoolkit library. Everything is working fine. But in this project, we need to submit our code to scan thru VAPT (Vulnerability Assessment and Penetration Testing). We completed the scan and found 2 "Improper Neutralization of Input During Web Page Generation ('Crosssite Scripting')" weakness.

We don’t think it’s a real vulnerability, more like a false positive but our security team requires us to get an explanation from the author of the library (ARtoolkit.js) to prove that the vulnerabilities are indeed a false positive.

Can anyone help me with this? I can send more details privately, if more information is needed.

Thorsten Bux · Answer 1 · Thu Jun 10 2021 12:44:16 GMT+0800 (China Standard Time)

I’m not quite sure what you are looking for. The artoolkit.js library is an Emscripten compilation of the artoolkit C++ code which you can find just next to the jsartoolkit5 repository.

sandycja · Answer 2 · Thu Jun 10 2021 16:49:35 GMT+0800 (China Standard Time)

Hi Thorsten, I am looking for the author of this library so that we can verify whether the vulnerabilities that was found in the VAPT scan is a real or false vulnerability. I’ve attached the scan report with some picture of the code inside this email. If you are the author or part of the development team, could you take a look and help me verify this? Thank you for replying. If you need any more details, please let me know. Hope to hear from you soon! Best Regards, Sandy

sandycja · Answer 3 · Thu Jun 10 2021 16:53:06 GMT+0800 (China Standard Time)

Uploading AR_VAPT.pdf…