This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-03-30
Channels
- # babashka (18)
- # beginners (90)
- # calva (33)
- # clara (6)
- # cljfx (11)
- # cljs-dev (22)
- # cljsrn (9)
- # clojure (71)
- # clojure-australia (2)
- # clojure-czech (15)
- # clojure-europe (27)
- # clojure-germany (9)
- # clojure-nl (4)
- # clojure-serbia (3)
- # clojure-uk (10)
- # clojurescript (17)
- # conjure (12)
- # data-oriented-programming (2)
- # deps-new (6)
- # fulcro (29)
- # graphql (10)
- # hugsql (6)
- # jobs (1)
- # lsp (59)
- # malli (8)
- # off-topic (76)
- # pathom (15)
- # polylith (130)
- # re-frame (9)
- # reagent (15)
- # releases (4)
- # rewrite-clj (6)
- # ring (6)
- # rum (9)
- # shadow-cljs (116)
- # specter (5)
- # testing (7)
- # tools-deps (24)
- # vim (6)
- # xtdb (17)
Q: I’ve been using ZAP to scan a Lacinia API for vulnerabilities. One that turned up is https://www.zaproxy.org/docs/alerts/40012/ which can be triggered by passing <script>alert(1);</script> in a query enum variable value
this doesn’t reach my resolvers because it doesn’t match the schema so the Lacinia parse rejects it but returns the value back to the client
hmm, an interceptor doesn’t see the :extensions data in the response. does anyone know how I can access/transform the :extensions / :errors data in a response?
scratch that, an interceptor can see the :errors in the JSON response body. I’d prefer to do this transformation earlier i.e. before it’s converted to JSON. looking into that next
Just out of interest, how would this attack work?
@UDF11HLKC I don’t know and, because I control the client, it’s very unlikely. That said: 1/ I don’t assume I know all the hacker tricks 2/ this is for a security audit so I want a clean scan to make that go smoothly