Frequently Reported Issues

Content-Security-Policy (CSP) Set to Unsafe Values

When the Vaadin application starts, during the bootstrap phase, the settings script-src "unsafe-inline", "unsafe-eval" and style-src "unsafe-inline" are necessary.

The bootstrap procedure that launches the program loads the widget set, which is the application's client-side engine. The widget comprises precompiled JavaScript functionality, such as the communication protocol, DOM control, Buttons, Layouts, and so on, but does not include the application code. The widget set is a one-time use resource. After loading it, the client-side engine must start with JavaScript.eval().

As a result, these parameters constitute architectural constraints in Vaadin, allowing the framework to launch its client-side engine in the browser.

How’s it reported: Missing or insecure “Content-Security-Policy” header.

v-curdate and v-wn Reported as CSRF Tokens

Vaadin may misinterpret these values as CSRF tokens(CSRF tokens are unique tokens that are generated by server side applications. These tokens are present in the next HTTP request made by the client) but these values(v-curdate and v-wn) are not actually CSRF tokens. They are also handled in a fashion that allows an attacker to compromise the application state. Vaadin implements its own CSRF mechanism, hence if a user reports this issue they should know that it is a false positive issue.

Cross-Site Request Forgery (CSRF) when Fetching Static Resources

When Vaadin retrieves static resources, several tools identify a CSRF vulnerability. The resources which Vaadin retrieves are unable to alter the app's status but there might be a possibility that the software reports it as Cross-Site Request Forgery when fetching resources. 

It is safe when the resources Vaadin retrieves are from the following list because they are safe to retrieve without a CSRF token: 

• widget set files (such as AppWidgetset.nocache.js)
• vaadinBootstrap.js
• vaadin-bundle-(hash).cache.js
• vaadin-flow-bundle-(hash).cache.HTML
• client-(hash).cache.js
• frontend-es[56]/bower_components/webcomponentsjs/*
• VAADIN/build/webcomponentsjs/*

Authentication Bypass when Fetching Static Resources

This is the case that can happen when your tool wants to get some static resource and they require some authentication. Certain technologies misrepresent obtaining static resources, particularly client-engine JavaScript scripts as an issue. 

These files should not be protected by authentication since they are required for the program to function even before the user has been authenticated.

How’s it reported: Authentication Bypass Using HTTP Verb Tampering

Temporary File Download

We need to download vaadinBootstrap.js to start the application. Downloading the vaadinBootstrap.js file is marked as a problem by several programs. It is a static resource required to run the program, so we know that if such an issue is present, it is not an issue but a requirement.

Oracle Log File Information Disclosure

Tools do not allow oracle log file information disclosure. Tools that check for this look at the response status and not the information that is present in the response.

In Vaadin there may be a case that the response status is set to 200, but we need to know that Vaadin does not deliver server log files to the client. Now because the response status can be set to 200, that may lead to reporting this issue that is again false positive.

Content Type Incorrectly Stated

When Vaadin transmits user events to the server and receives JSON data back, this occurs. Although the answer contains JavaScript, the content type is text/plain. It might be an issue sometimes. This happens because earlier JavaScript responses were not handled properly, resulting in wrong instructions on the client side.

There is no security concern since the data received from the server is never handled as a script on the client, so if we ever find this issue, we know it is a false positive.

Open Redirection – DOM-Based

This problem occurs since vaadinBootstrap.js does initiate a new HTTP request. This is done to get the application's initial state. Vaadin responds to the initial request to an application URL with the bootstrap file, which loads the theme, widget set, and application state.

An attacker cannot change the application state by making this request, so it is never an issue.

Enabling X-Frame-Options

The X-Frame-Options allow web pages or programs to inform browsers that they should not be executed within frames (inside another page). This guarantees that certain sites do not hide behind malicious pages where attackers can intercept user activity.

Because many programs must operate within frames, Vaadin does not automatically set the X-Frame-Options HTTP header. Developers can configure this header using server settings or the Java Servlet API.
 

Frequently Asked Questions

Do false positive issues need to be fixed?

False positive issues are not actual issues, so they do not need to be fixed but you can resolve them.

What do you understand by CSRF tokens?

A CSRF Token is a private, unique, and unexpected value generated by a server-side application to protect CSRF-sensitive resources. The server-side program generates and submits the tokens in a subsequent HTTP request sent by the client.

Does Vaadin have its CSRF scheme?

Yes, Vaadin has its CSRF scheme. Vaadin handles all the communication between the server and the client. A user session unique CSRF token is provided in all queries between the client and the server.

Is the X-Frame-Options by default enabled in vaadin?

No, the X-Frame-Options is not by default enabled in vaadin but developers can configure this header.

Conclusion

Vaadin is a web application development platform for Java. Sometimes it might occur that the code shows an error even though it is not actually an error which we call as false positive issues. In this blog, we saw the frequently reported issues in vaadin and what false positive issues mean. Wanna learn more about web technologies? Why not have a look at web technologies on Coding Ninjas Studio?
Check out this problem - First Missing Positive 

Don’t stop yourself here. Practice data structures and algorithms, interview questions, DBMS, computer networks and operating systems to crack the interviews of big tech giants. Explore other fields like machine learning, deep learning, computer vision and big data. Also checkout Interview Experiences for different companies. Do let us know if you come across any doubt.

Happy learning!