This article provides details on NSX UI validation checks and associated testing.
Environment
VMware NSX
Resolution
Input validations include:
Range Check: Range checks are not applicable to display names as these fields are not numeric. However, in areas where numerical input is used, such as user IDs or other number-related fields, range checks (min/max) are performed to ensure data integrity.
Validity Check: For display names, length validation is strictly enforced. The front-end UI validations conform to the backend API validations to ensure consistency across layers of the application. No further validation checks are necessary for this particular field based on its intended functionality.
Correctness: All characters, including multilingual characters, are allowed in display name fields to ensure flexibility for a global user base. The inclusion of special characters has been thoroughly assessed and does not introduce any inherent security vulnerabilities.
Exception Handling: If a display name does not meet the length validation requirements, the UI provides a clear and appropriate error message to guide users. This validation is synchronized with our API exception handling, ensuring smooth user experience and consistent behavior across different touchpoints of the system.
Input Encoding: To prevent potential security vulnerabilities, such as Cross-Site Scripting (XSS) attacks, we encode special characters such as <, >, &, ', and ". The UI team ensures that the encoded characters maintain the integrity of the HTML, thus safeguarding against XSS attacks.
Safelisting of Characters: Since the display name field allows the use of all characters, we do not enforce character safelisting. This may be added in a future release.
Security testing includes:
Static Application Security Testing (SAST): Automated scanning of the codebase for vulnerabilities such as XSS, SQL injection, and insecure configurations.
Dynamic Application Security Testing (DAST): Simulating attacks on a running instance of the application to identify runtime vulnerabilities.
Penetration Testing: Internal and External security experts regularly perform penetration tests to probe the system for weaknesses and ensure that product defences are resilient against real-world attacks.
Vulnerability Scanning: Using industry-standard tools such as Burp Suite and others to continually scan for potential vulnerabilities in the system.
Cross-Site Scripting (XSS) Protection: As mentioned, input encoding prevents XSS attacks. Testing regularly simulate XSS scenarios to validate the efficacy of these protections.
External Entity Attacks (XXE): Product Tomcat version is updated beyond 5.x, mitigating any risk of XXE attacks. This has been verified by the Broadcom security team.