Community

Code scan software and proxy generates possible security risks

2657
2
08-28-2015 07:31 AM
TracySchloss
by
Frequent Contributor
‎08-28-2015 07:31 AM

We have a product called Veracode that is used to review our code for security leaks.  It isn't typically run against an HTML/JS, but for this project, it's written largely in .NET with just a section of HTML/JS for a map.

Because the project is hosted on an application server, we set up a standard proxy configuration file.   The software scan is generating several 'medium' level security risks, mostly related to cross site scripting, I think solely because we have this proxy configuration to reference the map services.

I think this is all fine, because the whole point of the proxy is to allow the application and AGS server to communicate properly, but that's not official enough to satisfy our customers.  "Because ESRI provides this as a sample" apparently doesn't cut it.

I don't know exactly what I"m looking for here, but I need something maybe more technical that explains that what the proxy configuration is doing is limited in scope in what traffic is allowed and not a gaping hole into our network?

0 Kudos
2 Replies
RobertWinterbottom
by
Occasional Contributor
‎08-28-2015 08:59 AM

I can take a shot at this but someone with some more server side experience may be able to give you a better answer since I spend the majority of my time on the font-end, and hopefully this is what you were asking for.

From what I understand, the proxy acts as a middleman that forwards requests on the requesters behalf and hands back the results.  This allows your application to make requests to other domains that they normally cannot make due to CORS(Cross origin resource sharing) issues.  Proxies can be dangerous if not configured properly but the esri proxies have two helpful ways to make it more secure.  First, you have to specify the URL's the proxy is allowed to make requests to, this way the proxy cannot request to any url because it will throw an error saying that the url is not allowed or in the configured server urls. The next thing you can do is in the allowedReferers  option in the ProxyConfig tag.  This says who can use this proxy, leaving * there means anyone can use the proxy and that can be dangerous, but if you specify the applications domain here then that means only that domain can make requests.

If you set both the allowedReferers and serverUrl configurations up, you can limit the scope of what the proxy can access and who can access it.

Hope this helps.

TracySchloss
by
Frequent Contributor
‎08-28-2015 11:15 AM

I am also curious to know of other people's experiences with this type of code scan.   My problem is the explanation of it isn't really enough to satisfy that its existence isn't a security risk. 

0 Kudos