Skip to content

Added feature 1#1

Open
scw-examples wants to merge 1 commit intomainfrom
feature-1
Open

Added feature 1#1
scw-examples wants to merge 1 commit intomainfrom
feature-1

Conversation

@scw-examples
Copy link
Owner

@scw-examples scw-examples commented Aug 17, 2022

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 17, 2022
View reviewed changes
app.js
app.get('/', (req, res) => res.send('Hello World!'))
app.get('/demo/:id', (req, res) => {
res.send(`Hello Guest`)
eval('console.log("something", ' + req.params.id + ')')

Check failure

Code scanning / CodeQL

Code injection

[User-provided value](1) flows to here and is interpreted as code.
Copy link

@secure-code-warrior-for-github secure-code-warrior-for-github bot Aug 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Micro-Learning Topic: Code injection (Detected by phrase)

Matched on "Code injection"

What is this? (2min video)

Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.

Try this challenge in Secure Code Warrior

app.js
app.get('/demo/:id', (req, res) => {
res.send(`Hello Guest`)
eval('console.log("something", ' + req.params.id + ')')
res.send(`Hello ${req.params.id}`)

Check warning

Code scanning / CodeQL

Reflected cross-site scripting

Cross-site scripting vulnerability due to [user-provided value](1).
Copy link

@secure-code-warrior-for-github secure-code-warrior-for-github bot Aug 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Micro-Learning Topic: Reflected cross-site scripting (Detected by phrase)

Matched on "Reflected cross-site scripting"

What is this? (2min video)

Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "cross-site scripting"

What is this? (2min video)

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try this challenge in Secure Code Warrior

Repository owner deleted a comment from secure-code-warrior-for-github bot Aug 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@secure-code-warrior-for-github secure-code-warrior-for-github[bot] secure-code-warrior-for-github[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@scw-examples