1. Home
  2. Forum
  3. ASP.NET MVC
  4. Getting High Risk Alerts from OWASP ZAP Scan on Syncfusion Javascript files

Getting High Risk Alerts from OWASP ZAP Scan on Syncfusion Javascript files

Syncfusion EJ jQuery
ASP.NET MVC  
Version 15.4.0.20


We recently started running the OWASP ZAP scan on our websites and we had a HIGH RISK alert come back from the Syncfusion Javascript includes:
jsrender.min.js
ej.web.all.min.js
ej.unobtrusive.min.js

High (Medium)Remote File Inclusion
Description

Remote File Include (RFI) is an attack technique used to exploit "dynamic file include" mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.

Almost all web application frameworks support file inclusion. File inclusion is mainly used for packaging common code into separate files that are later referenced by main application modules. When a web application references an include file, the code in this file may be executed implicitly or explicitly by calling specific procedures. If the choice of module to load is based on elements from the HTTP request, the web application might be vulnerable to RFI.

An attacker can use RFI for:

* Running malicious code on the server: any code in the included malicious files will be run by the server. If the file include is not executed using some wrapper, code in include files is executed in the context of the server user. This could lead to a complete system compromise.

* Running malicious code on clients: the attacker's malicious code can manipulate the content of the response sent to the client. The attacker can embed malicious code in the response that will be run by the client (for example, JavaScript to steal the client session cookies).

PHP is particularly vulnerable to RFI attacks due to the extensive use of "file includes" in PHP programming and due to default server configurations that increase susceptibility to an RFI attack.


We probably need to upgrade, but before we began the arduous process we have to make to upgrade Syncfusion, I was tasked to ask if you guys knew anything about this issue or if upgrading would even fix it for us?

I apologize, we are unfortunately a little new to these types of things.

4 Replies
SS Sharon Sanchez Selvaraj Syncfusion Team April 20, 2021 02:34 PM UTC

Hi Corey, 
 
Greetings from Syncfusion Support. 
 
We have checked with your reported query. Currently we are validating with your mentioned scenario and will provide an update within four business days, by April 26th 2021. 
 
We appreciate your patience. 
 
Regards, 
 
Sharon Sanchez S. 


SS Sharon Sanchez Selvaraj Syncfusion Team April 26, 2021 10:38 AM UTC

Hi Corey, 
 
Thanks for your patience. 
 
We have scanned our MVC project including Syncfusion files with OWAS ZAP, but are unable to receive the high risk alert you have mentioned. We have attached the reports of the application run in both the latest and the version you have specified(15.4.0.20). We get only low risk alert in our end. Please check the attached reports and confirm us if you are facing any of these issues in your end.  
 
Refer to the reports attached below. 
 
 
If not, kindly provide us some additional information like video footage, security reports or steps to replicate the high risk security issues in our end to assist you promptly.  
 
Please get back to us if you need further assistance. 
 
Regards, 
 
Sharon Sanchez S. 


CT Corey Thompson April 26, 2021 03:51 PM UTC

I appreciate your due diligence on this. We are still doing some digging and we will get back to you if we simply can not solve this. 

KR Keerthana Rajendran Syncfusion Team April 27, 2021 05:05 AM UTC

Hi Corey , 

Thanks for the update. Please get back to us if you need further assistance. We will wait to hear from you.  

Regards, 
Keerthana. 


Loader.
Up arrow icon