Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Invalid
-
None
-
None
-
None
Description
In a recent veracode scan of the mobile application, we found a medium vulnerability:
Insufficient Input validation
Description:
Weaknesses in this category are related to an absent or incorrect protection mechanism that fails to properly validate input that can affect the control flow or data flow to a program.
Recommendations
Validate input from untrusted sources before it is used.
Associated flaws by CWE ID:
URL redirection to untrusted sitte ('open redirect') (CWE ID 601)
Description
A web application accepts a user-controlled input that specifies a link to an external site and uses that link to generate a redirect. This enables phishing attack.
Recommendation is to always validate user-supplied input to ensure it confirms to the expected format, using centralized data validation routines when possible. Check the supplied URL against a whitelist of approved URLs or domains before redirecting.
InAppBrowser.java: 447 and 449