Netsparker Finding CWE-550
Closed this issue · 1 comments
peterrowland commented
Netsparker Enterprise identified an internal server error.
The server responded with an HTTP status 500, indicating there is a server-side error. Reasons may vary, and the behavior should
be analyzed carefully. If Netsparker Enterprise is able to find a security issue in the same resource, it will report this as a separate
vulnerability.
https://all-sorns.app.cloud.gov/search?ending_year=&page=436&search=http%3a%2f%2fr
87.com%2fn%3f%00.php&starting_year=
peterrowland commented
Probably where we need to start:
https://github.com/18F/all_sorns/blob/main/app/controllers/search_controller.rb
Might want a decorator on any input parameter. Might want to broaden it to sanitize any search parameter.