From 787b359281871cfd09c30b0a780467a6802ab76c Mon Sep 17 00:00:00 2001 From: "Russell J.T. Dyer" <6652767+russelljtdyer@users.noreply.github.com> Date: Mon, 30 Sep 2024 13:33:46 +0200 Subject: [PATCH] Vulnerabilities Document - PR 3740 (#3747) --- .../advanced-topics/vulnerabilities.adoc | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/articles/flow/security/advanced-topics/vulnerabilities.adoc b/articles/flow/security/advanced-topics/vulnerabilities.adoc index 8ef93c0a97..2a3eba3008 100644 --- a/articles/flow/security/advanced-topics/vulnerabilities.adoc +++ b/articles/flow/security/advanced-topics/vulnerabilities.adoc @@ -1,6 +1,6 @@ --- title: Common Vulnerabilities -description: Descriptions of common vulnerabilities (e.g., SQL injections, cross-site request forgeries, cross-site scripting). +description: Descriptions of common vulnerabilities such as SQL injections, cross-site request forgeries, cross-site scripting. order: 30 --- @@ -10,11 +10,11 @@ order: 30 // tag::sql-injections[] == SQL Injections -Since Vaadin is a backend-agnostic UI framework, it doesn't interact directly with backend access. Instead, choosing a backend framework (e.g., Spring Data) is left to the developer. This page describes common vulnerabilities such as SQL injections, Cross-Site Request Forgeries (CSRF), and Cross-Site Scripting (XSS). +Since Vaadin has a backend-agnostic UI framework, it doesn't interact directly with backend access. Instead, choosing a backend framework (e.g., Spring Data) is left to the developer. This page describes common vulnerabilities such as SQL injections, Cross-Site Request Forgeries (CSRF), and Cross-Site Scripting (XSS). -Vaadin doesn't provide mitigation for SQL injections. This is left to the backend provider and developer. However, following the data validation and escaping guidelines (see the <> section), as well as standard secure database access practices, SQL injections can be completely blocked in Vaadin applications. +Vaadin doesn't provide mitigation for SQL injections. This is done by the backend provider and developer. However, following the data validation and escaping guidelines (see the <> section), as well as standard secure database access practices, SQL injections can be blocked fully in Vaadin applications. -Most providers have their own methods of dealing with injections. You should follow those guidelines. However, if you use pure JDBC, you have to deal with injection risks yourself. Here's an example with JDBC, demonstrating an SQL injection mitigation using the value from a `TextField` in a prepared statement: +Most providers have their own methods of dealing with injections. You should follow those guidelines. However, if you use pure JDBC, you'll have to address injection risks yourself. Here's an example with JDBC, demonstrating an SQL injection mitigation using the value from a `TextField` in a prepared statement: // end::sql-injections[] [source,java] @@ -50,11 +50,11 @@ new TextField("Set new username:", valueChangeEvent -> { All requests between the client and the server are included with a user-session-specific CSRF token. All communication between them is handled by Vaadin, so you don't have to include and verify CSRF tokens, manually. -Vaadin follows the "Synchronizer Token Pattern". See link:https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern[this article] for more design insights. +Vaadin follows the "Synchronizer Token Pattern". See the link:https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern[Site Request Forgery Prevention article] for more design insights. UIDL requests are protected by `Vaadin-Security-Key` CSRF token. WebSocket requests are protected with `Vaadin-Push-ID` CSRF token. -This key is generated by Vaadin per UI instance -- Vaadin 10 is an exception: the key is generated per session. It's sent to the browser as a part of UIDL JSON string included in the bootstrap response (i.e., initial HTML page) from the server. The key is sent by the server to the client only once per opened browser tab, and not repeated in each response. When the page is refreshed or the user opens a new tab, another key is generated by Vaadin and sent to the browser. +This key is generated by Vaadin per UI instance -- version 10 is an exception in that the key is generated per session. It's sent to the browser as a part of UIDL JSON string included in the bootstrap response (i.e., initial HTML page) from the server. The key is sent by the server to the client only one time per opened browser tab, and not repeated in each response. When the page is refreshed or the user opens a new tab, another key is generated by Vaadin and sent to the browser. Here's an example of sending CSRF tokens to the client, with other data omitted: @@ -102,7 +102,7 @@ The CSRF token is passed inside the JSON message in the request body. Here's an } ---- -`Vaadin-Push-ID` is generated by Vaadin per user session. `Vaadin-Push-ID` is used to check whether a given push ID in the WebSocket request matches the user's session push ID. If this ID is missing, the request is ignored and the WebSocket connection is closed. +`Vaadin-Push-ID` is generated by Vaadin per user session. `Vaadin-Push-ID` is used to check whether a given push ID in the WebSocket request matches the user's session push ID. If this ID is missing, though, the request is ignored and the WebSocket connection is closed. In Vaadin services requests, the CSRF token is passed in the `X-CSRF-Token` HTTP header like so: @@ -121,7 +121,7 @@ The CSRF token mechanism can be overridden on the server. You might do this, for Vaadin has built-in protection against cross-site scripting (XSS) attacks. Vaadin uses browser APIs that make the browser render content as text instead of HTML (e.g., using `innerText` instead of `innerHTML`). This negates the chance of inserting, for example, `