Vulnerability in Rasa

We are getting cross-site scripting vulnerability on RASA which is running on servers with 5005 and 5055 port.

5005 - Rasa Apis 5055 - Rasa action server.

Need to know what should be implemented to remove this vulnerability.

1 Like

Hello, could you please provide us with some more information to help us understand the issue?

For example:

  • What makes you think there is a vulnerability? Is it being reported by a scanning tool?
  • What steps can we take to reproduce the issue and investigate it further?

Thanks!

1 Like

Hi Jamie,

This is part of Application security scanning in the organization. Some one has posted one solution here, but I can’t figure out where exactly I have to make the changes in run.py in rasa core.

https://webcache.googleusercontent.com/search?q=cache:JFfMwsPxnqwJ:https://github.com/RasaHQ/rasa/issues/4729+&cd=1&hl=en&ct=clnk&gl=in

Please help out.

You should just be able to put the snippet anywhere in the file and the headers will start to be injected into responses.

@app.middleware('response')
async def prevent_xss(request, response):
    response.headers["x-xss-protection"] = "1; mode=block"

I appreciate that you may need to include this header to meet internal standards or compliance requirements, but the value of this is questionable at best. The header is deprecated in almost all major browsers now and the endpoints you’re adding it to shouldn’t be accessed through a browser anyway, so it provides no “real” protection. But if you need to do it - this is how!

1 Like

Then, how do we get rid of this vulnerability which is coming up in the scanning tool.

I think your scanning tool is just reporting the absence of this header, as it has no way of knowing if the endpoint can actually be exploited by XSS or not. Adding the snippet should resolve the warning from your scanning tool.

1 Like

Hi @piyush23 can you please share the rasa version and even the front end information you are using for rendering on the website? Basically the brief steps!

Hi Jamie,

The vulnerability is not resolved by adding the code snippet in the run.py file in core.

Hi Nik,

The rasa version being used is 1.9.1.

@piyush23 can you share the error screenshot and please upgrade your rasa version to at least 2.8.1, some of the issue can be resolve by itself whilst upgrade. Good Luck!

The vulnerability is not causing any error. The scanning toolscans this vulnerability on the ports where actions server (5005) and rasa server (5055) are running on the host where Rasa is hosted. It had come in Internal Penetration Testing done for the host machine for the GET request.

PFB complete description:

Your Web server/application does not filter script embedding from links displayed on a server’s Web site. A malicious user can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyperlink. Upon clicking the hyperlink, your Web server will generate an error message including the specified or embedded script. The specified or embedded script is executed in the client’s browser and treated as content originating from the target server returning the error message (even though the scripting may have originated from another site entirely). Note : Each report line represents a unique cross-site scripting on that page. The detection verifies if the scanner supplied data is returned in an un-sanitized manner by the web application. Customers are advised to verify if there are other security measures in place to make sure that this does not lead to an exploitation condition.