Hi, I set off some Cross Site Scripting security issues at my company by using appium. Is there anything that can be done to prevent that? I’m not much of a security expert and the security team here said I’d have to take it up with the developers to get it resolved.
Can you elaborate on that…
They said “The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user’s browser within the security context of the affected site.”
“To verify this vulnerability, it is often required to do a raw HTTP(s) request. Using curl/wget or your browser you probably won’t be able to reproduce the vulnerability due to automatic encoding of those tools. A raw request can be issued using either nc (netcat) or openssl.”
A solution given by someone at my company was “Can we convince appium to open the server port just for localhost (so it’s not visible outside). This would solve the problem.” Is there a way to do that or make it optional?
Any update on this issue?
I think I resolved this issue by setting --address to 127.0.0.1 so this can be closed. I don’t see a close option for this thread?