Did anyone worked on CWE 601 veracode flaws - veracode

Did anyone in this community worked on veracode flaws CWE 601 for
1. Insufficient input Validation.
2. URL redirecting to untrusted site.
I tried Google but I didn't get any proper solution to my question. Can anyone of you provide me the basic idea for the above two questions.

I have worked on CWE 601 issues where we were assigning URLs to variables and Veracode was detecting the same as a flaw.
I used encodeURI() method to wrap the parameters that were being passed and as this method encodes all the parameters, it diminishes the risk of phishing. Thus Veracode doesn't detect it as a flaw.
This will work for JavaScript files.

Related

SagePay Server Integration

I'm integrating SagePay Server and am stuck at step 4 here: https://developer-eu.elavon.com/docs/opayo-server/taking-payments
I get this error: Server error 5006: Unable to redirect to Vendor's web site. The Vendor failed to provide a RedirectionURL.
I know there are quite a lot of suggestions for this error out there. That it basically means there is something wrong with your code on the Notification URL.
I know it is completing the previous steps fine (I get the correct response parameters), I have made sure Opayo's IPs are allowed, the MD5 signatures match.
I think the problem is how I am "Responding to the Notification Post".
I am doing a standard WebRequest to send our RedirectUrl to SagePay - but the link here - SagePay RedirectURL failure - suggests it doesn't need that. Rather I should just "write to the simple Response object." The trouble is, I don't know what they mean by that.
Any help / experience with this, much appreciated.
Jon
I hope this answer isn't too late to be useful to you.
You're suffering from the main issue I've always had with Opayo (formerly SagePay) - namely that their integration guides for developers are terrible.
As the Opayo Server integration method is identical to the old SagePay version, I found it helpful to follow the much more in-depth instructions from before they rebranded. You can find those instructions here:
https://www.opayo.co.uk/file/12246/download-document/SERVER_Integration_and_Protocol_Guidelines_010814.pdf
In answer to your specific question, you can refer to page 68 of the above PDF guide. RE: You acknowledge receipt of the Notification POST, quote, "This is the plain text response part of the POST originated by the Server in the step above. Encoding must be as Name=Value fields separated by carriage-return linefeeds (CRLF)."
Literally, your script just has to print or echo something along the lines of:
Status=OK\r\n
StatusDetail=Hashes match - proceeding\r\n
RedirectURL=https://www.yoursite.com/endpointpage/
Or the equivalent for errors, aborts, etc.
Bear in mind that any output not formatted like the above will break the foldback process, so you must supress any errors or warnings your script might generate (ideally capturing them in a log or some other way).
Opayo give you basically no help in bugfixing, so if you continue to encounter errors you pretty much have to work in the dark.

To fix this issue, replace the usage of navigator.userAgent, navigator.appVersion, and navigator.platform with feature detection,

Anyone encountered this issue before? Any suggestion on how to deal with this? I am currently working on REDUX.
A page or script is accessing at least one of navigator.userAgent, navigator.appVersion, and navigator.platform. Starting in Chrome 101, the amount of information available in the User Agent string will be reduced.
To fix this issue, replace the usage of navigator.userAgent, navigator.appVersion, and navigator.platform with feature detection, progressive enhancement, or migrate to navigator.userAgentData.
Note that for performance reasons, only the first access to one of the properties is shown.
1 source
content.js:1
This has been resolved. I was able to find where my issue was. Was missing the logout function to pass on another function.

How to debug 3DSecureStatus

I am busy with implementing payments using Sage Pay direct protocol 3.0
(4,0 unavailable yet as I understand)
I register transaction using vspdirect-register.vsp
I redirect user to ACSURL with MD, PAReq and TermUrl using POST
I catch user on TermUrl and check transaction status using direct3dcallback.vsp with MD and PARes
BUT on this stage I always get:
STATUS: 'OK'
AVSCV2: 'ALL MATCH',
StatusDetail: '0000 : The Authorisation was Successful.',
AddressResult: 'MATCHED',
PostCodeResult: 'MATCHED',
CV2Result: 'MATCHED',
'3DSecureStatus': 'ERROR'
Using MySagePay tools I get an explanation like :
3D secure status The authentication callback message was MALFORMED. No 3D-Authentication occurred! ERROR
Attempt 1
ECI result Unknown result type
How can I debug this error?
Is it normal that I get status OK even when 3DSecureStatus : ERROR ?
Q1: Why are you getting a 3-D Secure error?
The MALFORMED status points towards SagePay not being able to read your request .. (e.g it's syntactically or structurally invalid etc).
Given the lack of code in the OP, rather than try and guess what you're doing wrong, I'll instead show what we do (which works - we've implemented both v3.00 & 4.00).
We perform an HTTP POST with the following parameters to https://live.sagepay.com/gateway/service/direct3dcallback.vsp (or https://test.sagepay.com/gateway/service/direct3dcallback.vsp in the case of testing):
For direct protocol v3.00
VPSProtocol: "3.00"
MD: MD posted to TermURL (e.g 20156570522002324295)
PARes: "PARes posted to TermURL"
For direct protocol v4.00
VPSProtocol: "4.00"
VPSTxId: VPSTxId from the initial payment response (Note that curly brackets {} need to be removed!!!)
CRes: "CRes that was posted to the ThreeDSNotificationURL"
Q2: Why do you get an OK status when 3-D Secure failed?
I believe this is probably due to your merchant ruleset. You can state what you want to happen with the transaction if 3-D Secure is unavailable or fails.
So, check your ruleset. I believe that we force our consumers through 3-D Secure as our chargeback percentages were quite high otherwise.
Footnote
I would also concur that since you are doing this work, it would probably be more beneficial to implement version 4.00, since that means the majority of your customers should have a better experience, and you'll have a better conversion rate too. Win win.
HTH.
Protocal 4.0 is available on the SagePay test server and you can start working on that already. It needs to be implemented by the 14th of September 2019 and the last info I've got from SagePay support staff is that the protocal 4.0 will be on the live server by the 14th of September 2019.
To your probelm: I call the ACSURL with the added query string for MD, PaReq, TermUrl which works ok.
I see that you posted PAReq. Please note that I use PaReq. A small a instead of a capital A. See page 16 of the Documentation. DIRECT_Integration_and_Protocol_4_Guidelines.pdf
Maybe you could post the complete URL you post to SagePay.
Hope this helps.
Thanks guys!
Sage support have helped me to find issue.
The point was - route 'ThreeDSNotificationURL' make changes in 'CRes' as we have configured some security behaviors, and when we check this key on Sage side - we got an error. so some extra security behaviors for this route have solve the issue.
Thanks guys!

Error: 5080 : Form transaction registration failed - tried previous answers

I have searched the answers to similar questions asked about this SagePay error, and checked that the fixes don't appear to apply to my problem.
Specifically:
I am using a correct 2-letter country code for BillingCountry and DeliveryCountry.
I am POSTing VPSProtocol, TxType and Vendor as well as the Crypt value.
I have re-checked that I am using the correct encryption key from the MySagePay test portal.
Now I was using http://localhost:8084/app/success and http://localhost:8084/app/failure for my success and failure URLs, since I thought that although these are (obviously) not visible externally, it shouldn't matter since SagePay is re-directing at the end of its part of the transaction. (Is this assumption correct, or do these URLs need to be externally accessible?) Some of the answers have thrown doubt on this, so I changed them to an external website I own, and I still get the same error.
Another line of thought is that the client I am developing for has already gone live, and there seem to be hints that once you have gone live, you no longer have access to the test server (Is this true?)
Is there anything else I should be checking? (Additional info: I'm using the SagePay api (sagepay-api-1.2.2.0.jar and related libraries) to validate the form contents and encrypt them.
I used the integration from https://github.com/tolzhabayev/sagepayForm-php
I had this error (5080) and spoke to SagePay support and they guided me to the MySagePay portal where you can view Invalid transactions to be able to troubleshoot this error easily!
Hope this helps someone.
Chris Rickards
I had exact same problem and I tried everything that you described as well, one day after I found that the problem was in "VendorEMail" field, it had 2 email addresses separated by ;, once I removed second and left only one email everything worked.

Facebook Application - Url-rewriting with fbml?

I have an app that I'm creating with CakePHP, which rewrites the url from something illegible to most users to something a little easier to comprehend. I'm having a problem when I use the FBML canvas.
When I try to access, say, http://apps.facebook.com/myapp/articles, I get the following error:
Received HTTP error code 404 while
loading
http://www.myapp.com/myapparticles/
I did notice that when I try to access http://apps.facebook.com/myapp/articles/posts, it changes the error to show the following url, which is slightly different: http://www.myapp.com/myapparticles/posts
Which lead me to try accessing it with this: http://apps.facebook.com/myapp//articles, which does work most of the time, though for some reason sometimes it will give the previous error. (And it also seems like a hack-y way of getting it to work).
I'm at a loss for how to fix this.
Turns out I was missing the trailing slash (http://www.myapp.com/myapp/) on the url that I specified as my canvas callback, which is in the app settings. Putting it there fixes the problem.
This happens when you are not using semantic markup or you have an error or some code not supported by fb. Also that famous error is generated by fb when it is down or slow too.
I would suggest you checking your code thoroughly and going through fb documentation. That should help you the most. thanks

Resources