0% found this document useful (0 votes)

59 views

CLS DeveloperWorkbook

Uploaded by

Irsyad Arifianto

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

59 views

CLS DeveloperWorkbook

Uploaded by

Irsyad Arifianto

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 128

HPE Security Fortify Audit Workbench

Developer Workbook
20181005_CLS
Table of Contents
Executive Summary
Project Description
Issue Breakdown by Fortify Categories
Results Outline

Oct 5, 2018, 5:40 PM 2

© Copyright 2016 Hewlett Packard Enterprise Development LP
Executive Summary
This workbook is intended to provide all necessary details and information for a developer to understand and
remediate the different issues discovered during the 20181005_CLS project audit. The information contained
in this workbook is targeted at project managers and developers.

This section provides an overview of the issues uncovered during analysis.

Project Name: 20181005_CLS Issues by Priority

Project Version:
SCA: Results Present 14 0
High Critical
WebInspect: Results Not Present
Impact
SecurityScope: Results Not Present
110 4
Other: Results Not Present Low Medium

Likelihood

Oct 5, 2018, 5:40 PM 3

© Copyright 2016 Hewlett Packard Enterprise Development LP
Project Description
This section provides an overview of the HPE Security Fortify scan engines used for this project, as well as
the project meta-information.

SCA

Date of Last Analysis: Oct 5, 2018, 5:38 PM Engine Version: 17.10.0156

Host Name: JKIFORTW001 Certification: NOT PRESENT
Number of Files: 1,122 Lines of Code: 155,997

Oct 5, 2018, 5:40 PM 4

© Copyright 2016 Hewlett Packard Enterprise Development LP
Issue Breakdown by Fortify Categories
The following table depicts a summary of all issues grouped vertically by Fortify Category. For each category,
the total number of issues is shown by Fortify Priority Order, including information about the number of
audited issues.
Category Fortify Priority (audited/total) Total
Critical High Medium Low Issues
ASP.NET Misconfiguration: Debug Information 0 0 0/3 0 0/3
Cross-Site Request Forgery 0 0 0 0 / 71 0 / 71
Dead Code: Unused Field 0 0 0 0/6 0/6
Dead Code: Unused Method 0 0 0 0/1 0/1
Denial of Service 0 0 0 0/1 0/1
HTML5: MIME Sniffing 0 0 0/1 0 0/1
Hidden Field 0 0 0 0/5 0/5
Insecure Randomness 0 0/1 0 0 0/1
JavaScript Hijacking 0 0 0 0/1 0/1
JavaScript Hijacking: Vulnerable Framework 0 0 0 0 / 19 0 / 19
Password Management: Password in Comment 0 0 0 0/2 0/2
Password Management: Password in Configuration File 0 0/4 0 0 0/4
Poor Error Handling: Empty Catch Block 0 0 0 0/4 0/4
Potentially Banned License: Creative Commons 0 0/1 0 0 0/1
Potentially Banned License: GPL 0 0/8 0 0 0/8

Oct 5, 2018, 5:40 PM 5

ASP.NET Misconfiguration: Debug Information (3 issues)

Abstract
Debugging messages help attackers learn about the system and plan a form of attack.

Explanation
ASP .NET applications can be configured to produce debug binaries. These binaries give detailed
debugging messages and should not be used in production environments. The debug attribute of the tag
defines whether compiled binaries should include debugging information.

The use of debug binaries causes an application to provide as much information about itself as possible to
the user. Debug binaries are meant to be used in a development or testing environment and can pose a
security risk if they are deployed to production. Attackers may leverage the additional information they gain
from debugging output to mount attacks targeted on the framework, database, or other resources used by
the application.

Recommendation
Always compile production binaries without debug enabled. This can be accomplished by setting the debug
attribute to false on the tag in your application's configuration file, as follows:

Setting the debug attribute to false is necessary for creating a secure application. However, it is
important that your application does not leak important system information in other ways. Ensure that your
code does not unnecessarily expose system information that could be useful to an attacker.

Issue Summary

Oct 5, 2018, 5:40 PM 6

© Copyright 2016 Hewlett Packard Enterprise Development LP
Engine Breakdown
SCA WebInspect SecurityScope Total
ASP.NET Misconfiguration: Debug Information 3 0 0 3
Total 3 0 0 3

ASP.NET Misconfiguration: Debug Information Medium

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Web.config, line 33
Medium
(ASP.NET Misconfiguration: Debug Information)
Issue Details
Kingdom: Environment
Scan Engine: SCA (Configuration)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Web.config:33
Taint Flags:
30 </system.Web>
31 -->
32 <system.web>
33 <compilation debug="true" targetFramework="4.6.1"/>
34 <httpCookies httpOnlyCookies="true"/>
35 <httpRuntime targetFramework="4.5" maxRequestLength="1073741824"/>
36 <httpModules>

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.bin

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/bin/CLS.dll.config, line
Medium
33 (ASP.NET Misconfiguration: Debug Information)
Issue Details
Kingdom: Environment
Scan Engine: SCA (Configuration)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/bin/CLS.dll.config:33
Taint Flags:
30 </system.Web>
31 -->
32 <system.web>
33 <compilation debug="true" targetFramework="4.6.1"/>
34 <httpCookies httpOnlyCookies="true"/>
35 <httpRuntime targetFramework="4.5" maxRequestLength="1073741824"/>
36 <httpModules>

Oct 5, 2018, 5:40 PM 7

© Copyright 2016 Hewlett Packard Enterprise Development LP
ASP.NET Misconfiguration: Debug Information Medium
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.obj.Release.TransformWebConfig.original
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/
TransformWebConfig/original/Web.config, line 33 (ASP.NET Misconfiguration: Medium
Debug Information)
Issue Details
Kingdom: Environment
Scan Engine: SCA (Configuration)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/TransformWebConfig/original/Web.config:33
Taint Flags:
30 </system.Web>
31 -->
32 <system.web>
33 <compilation debug="true" targetFramework="4.6.1"/>
34 <httpCookies httpOnlyCookies="true"/>
35 <httpRuntime targetFramework="4.5" maxRequestLength="1073741824"/>
36 <httpModules>

Oct 5, 2018, 5:40 PM 8

Abstract
HTTP requests must contain a user-specific secret in order to prevent an attacker from making
unauthorized requests.

Explanation
A cross-site request forgery (CSRF) vulnerability occurs when:
1. A web application uses session cookies.

2. The application acts on an HTTP request without verifying that the request was made with the user's
consent.

A nonce is a cryptographic random value that is sent with a message to prevent replay attacks. If the
request does not contain a nonce that proves its provenance, the code that handles the request is
vulnerable to a CSRF attack (unless it does not change the state of the application). This means a web
application that uses session cookies has to take special precautions in order to ensure that an attacker
can't trick users into submitting bogus requests. Imagine a web application that allows administrators to
create new accounts as follows:

var req = new XMLHttpRequest();

req.open("POST", "/new_user", true);
body = addToPost(body, new_username);
body = addToPost(body, new_passwd);
req.send(body);

An attacker might set up a malicious web site that contains the following code.

var req = new XMLHttpRequest();

req.open("POST", "http://www.example.com/new_user", true);
body = addToPost(body, "attacker");
body = addToPost(body, "haha");
req.send(body);

If an administrator for example.com visits the malicious page while she has an active session on the site,
she will unwittingly create an account for the attacker. This is a CSRF attack. It is possible because the
application does not have a way to determine the provenance of the request. Any request could be a
legitimate action chosen by the user or a faked action set up by an attacker. The attacker does not get to
see the Web page that the bogus request generates, so the attack technique is only useful for requests that
alter the state of the application.

Applications that pass the session identifier in the URL rather than as a cookie do not have CSRF problems
because there is no way for the attacker to access the session identifier and include it as part of the bogus
request.
CSRF is entry number five on the 2007 OWASP Top 10 list.

Oct 5, 2018, 5:40 PM 9

© Copyright 2016 Hewlett Packard Enterprise Development LP
Recommendation
Applications that use session cookies must include some piece of information in every form post that the
back-end code can use to validate the provenance of the request. One way to do that is to include a
random request identifier or nonce, like this:

RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, "/new_user");

body = addToPost(body, new_username);
body = addToPost(body, new_passwd);
body = addToPost(body, request_id);
rb.sendRequest(body, new NewAccountCallback(callback));

Then the back-end logic can validate the request identifier before processing the rest of the form data.
When possible, the request identifier should be unique to each server request rather than shared across
every request for a particular session. As with session identifiers, the harder it is for an attacker to guess
the request identifier, the harder it is to conduct a successful CSRF attack. The token should not be easily
guessed and it should be protected in the same way that session tokens are protected, such as using
SSLv3.

Additional mitigation techniques include:

Framework protection: Most modern web application frameworks embed CSRF protection and they will
automatically include and verify CSRF tokens.
Use a Challenge-Response control: Forcing the customer to respond to a challenge sent by the server is
a strong defense against CSRF. Some of the challenges that can be used for this purpose are:
CAPTCHAs, password re-authentication and one-time tokens.
Check HTTP Referer/Origin headers: An attacker won't be able to spoof these headers while performing
a CSRF attack. This makes these headers a useful method to prevent CSRF attacks.
Double-submit Session Cookie: Sending the session ID Cookie as a hidden form value in addition to the
actual session ID Cookie is a good protection against CSRF attacks. The server will check both values and
make sure they are identical before processing the rest of the form data. If an attacker submits a form in
behalf of a user, he won't be able to modify the session ID cookie value as per the same-origin-policy.
Limit Session Lifetime: When accessing protected resources using a CSRF attack, the attack will only be
valid as long as the session ID sent as part of the attack is still valid on the server. Limiting the Session
lifetime will reduce the probability of a successful attack.

The techniques described here can be defeated with XSS attacks. Effective CSRF mitigation includes XSS
mitigation techniques.

Issue Summary

Oct 5, 2018, 5:40 PM 10

© Copyright 2016 Hewlett Packard Enterprise Development LP
Engine Breakdown
SCA WebInspect SecurityScope Total
Cross-Site Request Forgery 71 0 0 71
Total 71 0 0 71

Cross-Site Request Forgery Low

Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.Areas.Administration.Views.Approval
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Low
Views/Approval/ApprovalForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/Approval/
ApprovalForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("ApprovePar", "Approval")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Administration.Views.ApprovalPrdct
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Views/ApprovalPrdct/ApprovalPrdctForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Oct 5, 2018, 5:40 PM 11

© Copyright 2016 Hewlett Packard Enterprise Development LP
Cross-Site Request Forgery Low
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.Areas.Administration.Views.ApprovalPrdct
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Views/ApprovalPrdct/ApprovalPrdctForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/ApprovalPrdct/
ApprovalPrdctForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("Approve",
"ApprovalPrdct")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Administration.Views.ApprovalQues
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Views/ApprovalQues/ApprovalQuesForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/ApprovalQues/
ApprovalQuesForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("Approve",
"ApprovalQues")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Administration.Views.GenSetting
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Low
Views/GenSetting/SettingForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details

Oct 5, 2018, 5:40 PM 12

Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/GenSetting/
SettingForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.setting_id <= 0) ?
"Add" : "Edit", "GenSetting")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Administration.Views.Menu
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Low
Views/Menu/Tree.cshtml, line 24 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/Menu/Tree.cshtml:24
Taint Flags:
21 <div class="page-title"></div>
22 <div class="row">
23 <div class="col-md-12">
24 <form class="form-horizontal" name="frmMenuTree" method="post"
action="@Url.Action("SaveTree", "Menu")">
25 <textarea id="nestable_list_1_output" name="nestable_list_1_output" class="form-control
col-md-12 margin-bottom-10;" style="display:none;"></textarea>
26
27

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/

Low
Views/Menu/MenuForm.cshtml, line 26 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation

Oct 5, 2018, 5:40 PM 13

Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/Menu/MenuForm.cshtml:26
Taint Flags:
23 <div class="row">
24 <div class="col-md-12">
25 @Html.Partial("_StatusMessage")
26 <form class="form-horizontal" method="post" action="@Url.Action((Model.menu_id <= 0) ?
"Add" : "Edit", "Menu")">
27 @Html.AntiForgeryToken()
28 <div class="portlet light bordered">
29 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Administration.Views.Param
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Low
Views/Param/ParamForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/Param/ParamForm.cshtml:
25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.param_id <= 0) ?
"Add" : "Edit", "Param")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Administration.Views.ParamGroup
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Views/ParamGroup/ParamGroupForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Issue Details

Oct 5, 2018, 5:40 PM 14

Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/ParamGroup/
ParamGroupForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.paramgroup_id <=
0) ? "Add" : "Edit", "ParamGroup")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/

Low
Views/ParamGroup/Index.cshtml, line 36 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/ParamGroup/Index.cshtml:
36
Taint Flags:
33 <div class="tools"></div>
34 </div>
35 <div class="portlet-body form">
36 <form class="form-horizontal" action="@Url.Action("Index", "paramgroup")" method="post">
37 @Html.AntiForgeryToken()
38 <div class="form-body">
39 <div class="row">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Administration.Views.User
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Low
Views/User/Index.cshtml, line 36 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation

Oct 5, 2018, 5:40 PM 15

Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/User/Index.cshtml:36
Taint Flags:
33 <div class="tools"></div>
34 </div>
35 <div class="portlet-body form">
36 <form class="form-horizontal" action="@Url.Action("Index", "User")" method="post">
37 @Html.AntiForgeryToken()
38 <div class="form-body">
39 <div class="row">

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/

Low
Views/User/UserForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/User/UserForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.user_id <= 0) ?
"Add" : "Edit", "User")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Administration.Views.UserGroup
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Low
Views/UserGroup/UGPermission.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details

Oct 5, 2018, 5:40 PM 16

File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/UserGroup/

UGPermission.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("Permission",
"usergroup")">
26 <div class="portlet box red">
27 <div class="portlet-title">
28 <div class="caption"><i class="fa fa-cogs"></i> Usergroup Permission</div>

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/

Low
Views/UserGroup/UserGroupForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/UserGroup/
UserGroupForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.usergroup_id <=
0) ? "Add" : "Edit", "UserGroup")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.BMI

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
BMI/BMIForm.cshtml, line 22 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/BMI/BMIForm.cshtml:22
Taint Flags:

Oct 5, 2018, 5:40 PM 17

© Copyright 2016 Hewlett Packard Enterprise Development LP
Cross-Site Request Forgery Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.BMI
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
BMI/BMIForm.cshtml, line 22 (Cross-Site Request Forgery)
19 <div class="row">
20 <div class="col-md-12">
21 @Html.Partial("_StatusMessage")
22 <form class="form-horizontal" method="post" action="@Url.Action((Model.bmi_id <= 0) ?
"Add" : "Edit", "BMI")">
23 @Html.AntiForgeryToken()
24 <div class="portlet light bordered">
25 <div class="portlet-title">

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/

Low
BMI/Index.cshtml, line 36 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/BMI/Index.cshtml:36
Taint Flags:
33 <div class="tools"></div>
34 </div>
35 <div class="portlet-body form">
36 <form class="form-horizontal" action="@Url.Action("Index", "BMI")" method="post">
37 @Html.AntiForgeryToken()
38 <div class="form-body">
39 <div class="row">

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.CutOff

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
CutOff/CutOffForm.cshtml, line 24 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/CutOff/CutOffForm.cshtml:24
Taint Flags:
21 <div class="row">
22 <div class="col-md-12">
23 @Html.Partial("_StatusMessage")
24 <form class="form-horizontal" method="post" action="@Url.Action((Model.cutoff_id <= 0) ?
"Add" : "Edit", "CutOff")">

Oct 5, 2018, 5:40 PM 18

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Group

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
Group/GroupForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Group/GroupForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_group_id
<= 0) ? "Add" : "Edit", "Group")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.MP

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
MP/MPForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/MP/MPForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.mp_id <= 0) ?
"Add" : "Edit", "MP")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 19

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Partner

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
Partner/PartnerForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Partner/PartnerForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" id="commentForm"
action="@Url.Action((Model.partner_id <= 0) ? "Add" : "Edit", "Partner")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Product

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
Product/ProductForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Product/ProductForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.product_id ==
null) ? "Add" : "Edit", "Product")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 20

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Question/QuestionForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_id ==
null) ? "Add" : "Edit", "Question")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Master.Views.QuestionDoc
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
QuestionDoc/QuestionDocForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/QuestionDoc/
QuestionDocForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.document_id <= 0) ?
"Add" : "Edit", "QuestionDoc")" id="QuestionDoc" enctype="multipart/form-data">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Master.Views.QuestionGroup
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
QuestionGroup/QuestionGroupForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details

Oct 5, 2018, 5:40 PM 21

Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/QuestionGroup/
QuestionGroupForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_mapping_id
<= 0) ? "Add" : "Edit", "QuestionGroup")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Master.Views.QuestionRelation
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
QuestionRelation/QuestionRelationForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/QuestionRelation/
QuestionRelationForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post"
action="@Url.Action((Model.question_relation_id <= 0) ? "Add" : "Edit", "QuestionRelation")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 22

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Rate/RateForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" id="MRate" action="@Url.Action((Model.rate_id
<= 0) ? "Add" : "Edit", "Rate")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Master.Views.SubQuestion
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
SubQuestion/SubQuestionForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/SubQuestion/
SubQuestionForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.sub_question_id ==
null) ? "Add" : "Edit", "SubQuestion")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Sumins

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
Sumins/SIAForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details

Oct 5, 2018, 5:40 PM 23

Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Sumins/SIAForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.id <= 0) ? "Add" :
"Edit", "Sumins")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Reg.Views.Registration

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Reg/Views/
Low
Registration/Index.cshtml, line 37 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Reg/Views/Registration/Index.cshtml:37
Taint Flags:
34 <div class="tools"></div>
35 </div>
36 <div class="portlet-body form">
37 <form class="form-horizontal" action="@Url.Action("Index", ViewBag.uri)" method="post">
38 @Html.AntiForgeryToken()
39 <div class="form-body">
40 <div class="row">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.Areas.Underwriting.Views.PostFilter
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/
Low
Views/PostFilter/PostFilterForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Oct 5, 2018, 5:40 PM 24

© Copyright 2016 Hewlett Packard Enterprise Development LP
Cross-Site Request Forgery Low
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.Areas.Underwriting.Views.PostFilter
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/
Low
Views/PostFilter/PostFilterForm.cshtml, line 25 (Cross-Site Request Forgery)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/Views/PostFilter/
PostFilterForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("Edit", "PostFilter")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/

Low
Views/PostFilter/Index.cshtml, line 36 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/Views/PostFilter/Index.cshtml:36
Taint Flags:
33 <div class="tools"></div>
34 </div>
35 <div class="portlet-body form">
36 <form class="form-horizontal" action="@Url.Action("Index", "postfilter")" method="post">
37 @Html.AntiForgeryToken()
38 <div class="form-body">
39 <div class="row">

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Views.Shared.Registration

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/
Low
Registration/ShrdNotesForm.cshtml, line 49 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/Registration/ShrdNotesForm.cshtml:49
Taint Flags:
46 }

Oct 5, 2018, 5:40 PM 25

© Copyright 2016 Hewlett Packard Enterprise Development LP
Cross-Site Request Forgery Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Views.Shared.Registration
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/
Low
Registration/ShrdNotesForm.cshtml, line 49 (Cross-Site Request Forgery)
47 if (ViewBag.uri == "Assessment" && ViewBag.LockForm == false)
48 {
49 <form class="form-horizontal" method="post" action="@Url.Action("ViewReg", ViewBag.uri)">
50 @Html.AntiForgeryToken()
51 <div class="chat-form">
52 <div class="input-cont">

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/

Low
Registration/ShrdIndex.cshtml, line 37 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/Registration/ShrdIndex.cshtml:37
Taint Flags:
34 <div class="tools"></div>
35 </div>
36 <div class="portlet-body form">
37 <form class="form-horizontal" action="@Url.Action("Index", ViewBag.uri)" method="post">
38 @Html.AntiForgeryToken()
39 <div class="form-body">
40 <div class="row">

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/

Low
Registration/ShrdMCUForm.cshtml, line 13 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/Registration/ShrdMCUForm.cshtml:13
Taint Flags:
10 </div>
11 <div class="portlet-body">
12 <div class="form-body">
13 <form action="" method="post">
14 <div class="row">
15 <div class="col-md-6">
16 <div class="form-group">

Oct 5, 2018, 5:40 PM 26

© Copyright 2016 Hewlett Packard Enterprise Development LP
Cross-Site Request Forgery Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Views.UserProfile
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/UserProfile/
Low
Index.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/UserProfile/Index.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action( "Update", "UserProfile")"
id="saveFrmUser">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
Low
respond.min.js, line 6 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Oct 5, 2018, 5:40 PM 27

© Copyright 2016 Hewlett Packard Enterprise Development LP
Cross-Site Request Forgery Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
Low
respond.min.js, line 6 (Cross-Site Request Forgery)
zA-Z:]*\/\/)/.test(d)&&!k||d.replace(RegExp.$1,"").split("/")
[0]===a.location.host)&&m.push({href:d,media:e}))}o()},o=function(){if(m.length){var
b=m.shift();v(b.href,function(c){p(c,b.href,b.media),h[b.href]=!0,a.setTimeout(function(){o()},
0)})}},p=function(a,b,c){var d=a.match(/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/
gi),g=d&&d.length||0;b=b.substring(0,b.lastIndexOf("/"));var h=function(a){return a.replace(/
(url$)['"]?([^\/$'"][^:\)'"]+)['"]?(\))/g,"$1"+b+"$2$3")},i=!g&&c;b.length&&(b
+="/"),i&&(g=1);for(var j=0;g>j;j++){var k,l,m,n;i?(k=c,f.push(h(a))):(k=d[j].match(/@media
*([^\{]+)\{([\S\s]+?)$/)&&RegExp.$1,f.push(RegExp.$2&&h(RegExp.
$2))),m=k.split(","),n=m.length;for(var o=0;n>o;o++)l=m[o],e.push({media:l.split("(")
[0].match(/(only\s+)?([a-zA-Z]+)\s?/)&&RegExp.
$2||"all",rules:f.length-1,hasquery:l.indexOf("(")>-1,minw:l.match(/$\s*min\-width\s*:
\s*(\s*[0-9\.]+)(px|em)\s*$/)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:l.match(/$\s*max\-
width\s*:\s*(\s*[0-9\.]+)(px|em)\s*$/)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}
u()},s=function(){var a,b=c.createElement("div"),e=c.body,f=!1;return
b.style.cssText="position:absolute;font-size:1em;width:1em",e||
(e=f=c.createElement("body"),e.style.background="none"),e.appendChild(b),d.insertBefore(e,d.firstChild),a
d.removeChild(e):e.removeChild(b),a=t=parseFloat(a)},u=function(b){var
h="clientWidth",k=d[h],m="CSS1Compat"===c.compatMode&&k||c.body[h]||
k,n={},o=l[l.length-1],p=(new Date).getTime();if(b&&q&&i>p-q)return
a.clearTimeout(r),r=a.setTimeout(u,i),void 0;q=p;for(var v in e)if(e.hasOwnProperty(v)){var
w=e[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?t||
s():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?t||s():1)),w.hasquery&&(z&&A||!(z||m>=x)||!(A||
y>=m))||(n[w.media]||(n[w.media]=[]),n[w.media].push(f[w.rules]))}for(var C in
g)g.hasOwnProperty(C)&&g[C]&&g[C].parentNode===j&&j.removeChild(g[C]);for(var D in
n)if(n.hasOwnProperty(D)){var E=c.createElement("style"),F=n[D].join("\n");E.type="text/
css",E.media=D,j.insertBefore(E,o.nextSibling),E.styleSheet?
E.styleSheet.cssText=F:E.appendChild(c.createTextNode(F)),g.push(E)}},v=function(a,b){var
c=w();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!
==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))},w=function()
{var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}
return function(){return b}}();n(),b.update=n,a.addEventListener?
a.addEventListener("resize",x,!1):a.attachEvent&&a.attachEvent("onresize",x)}})(this);
7
8 undefined
9 undefined

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.modules.js

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/
Low
TransInfo.js, line 4 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: transInfo()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/TransInfo.js:4
Taint Flags:
1
2 function transInfo(obj, id) {

Oct 5, 2018, 5:40 PM 28

© Copyright 2016 Hewlett Packard Enterprise Development LP
Cross-Site Request Forgery Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.modules.js
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/
Low
TransInfo.js, line 4 (Cross-Site Request Forgery)
3 var url = $("#urlTransInfo").val() + '?obj=' + obj + '&id=' + id;
4 $.post(url, {}, function (data) {
5 $("#created_user").val('');
6 $("#created_date").val('');
7 $("#updated_user").val('');

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/

Low
QuestionRelation.js, line 9 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: lambda()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/QuestionRelation.js:9
Taint Flags:
6
7 if (dID != "") {
8 var url = $("#getSubQuestionUrl").val();
9 $.getJSON(url, { questionid: dID },
10 function (data) {
11 var select = $("#sub_question_id");
12 select.empty();

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/

Low
regmcu.js, line 50 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: lambda()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/regmcu.js:50
Taint Flags:
47 $('#findDataMCUBtn').click(function () {
48 var el = $(".MCUData");
49 App.blockUI({target:".MCUData"});
50 $.getJSON("getMPMCU",
51 { mp_name_val: $('#mp_name_val').val(), mp_addr: $('#mp_addr').val(), mp_std: $
('#mp_std').val(), mp_oh: $('#mp_oh').val() },

Oct 5, 2018, 5:40 PM 29

52 function (data) {
53 var len = data.length;

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.Approval
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/Approval/ApprovalForm.cshtml, line 25 Low
(Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/Approval/ApprovalForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("ApprovePar", "Approval")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.ApprovalPrdct
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/ApprovalPrdct/ Low
ApprovalPrdctForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/ApprovalPrdct/ApprovalPrdctForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("Approve",

Oct 5, 2018, 5:40 PM 30

© Copyright 2016 Hewlett Packard Enterprise Development LP
Cross-Site Request Forgery Low
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.ApprovalPrdct
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/ApprovalPrdct/ Low
ApprovalPrdctForm.cshtml, line 25 (Cross-Site Request Forgery)
"ApprovalPrdct")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.ApprovalQues
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/ApprovalQues/ Low
ApprovalQuesForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/ApprovalQues/ApprovalQuesForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("Approve",
"ApprovalQues")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.GenSetting
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/GenSetting/SettingForm.cshtml, line Low
25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/GenSetting/SettingForm.cshtml:25
Taint Flags:

Oct 5, 2018, 5:40 PM 31

© Copyright 2016 Hewlett Packard Enterprise Development LP
Cross-Site Request Forgery Low
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.GenSetting
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/GenSetting/SettingForm.cshtml, line Low
25 (Cross-Site Request Forgery)
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.setting_id <= 0) ?
"Add" : "Edit", "GenSetting")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.Menu
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/Menu/Tree.cshtml, line 24 (Cross-Site Low
Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/Menu/Tree.cshtml:24
Taint Flags:
21 <div class="page-title"></div>
22 <div class="row">
23 <div class="col-md-12">
24 <form class="form-horizontal" name="frmMenuTree" method="post"
action="@Url.Action("SaveTree", "Menu")">
25 <textarea id="nestable_list_1_output" name="nestable_list_1_output" class="form-control
col-md-12 margin-bottom-10;" style="display:none;"></textarea>
26
27

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/

PackageTmp/Areas/Administration/Views/Menu/MenuForm.cshtml, line 26 Low
(Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/

Oct 5, 2018, 5:40 PM 32

Views/Menu/MenuForm.cshtml:26
Taint Flags:
23 <div class="row">
24 <div class="col-md-12">
25 @Html.Partial("_StatusMessage")
26 <form class="form-horizontal" method="post" action="@Url.Action((Model.menu_id <= 0) ?
"Add" : "Edit", "Menu")">
27 @Html.AntiForgeryToken()
28 <div class="portlet light bordered">
29 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.Param
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/Param/ParamForm.cshtml, line 25 Low
(Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/Param/ParamForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.param_id <= 0) ?
"Add" : "Edit", "Param")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.ParamGroup
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/ParamGroup/ Low
ParamGroupForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation

Oct 5, 2018, 5:40 PM 33

Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/ParamGroup/ParamGroupForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.paramgroup_id <=
0) ? "Add" : "Edit", "ParamGroup")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/

PackageTmp/Areas/Administration/Views/ParamGroup/Index.cshtml, line 36 Low
(Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/ParamGroup/Index.cshtml:36
Taint Flags:
33 <div class="tools"></div>
34 </div>
35 <div class="portlet-body form">
36 <form class="form-horizontal" action="@Url.Action("Index", "paramgroup")" method="post">
37 @Html.AntiForgeryToken()
38 <div class="form-body">
39 <div class="row">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.User
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/User/Index.cshtml, line 36 (Cross-Site Low
Request Forgery)
Issue Details

Oct 5, 2018, 5:40 PM 34

Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/User/Index.cshtml:36
Taint Flags:
33 <div class="tools"></div>
34 </div>
35 <div class="portlet-body form">
36 <form class="form-horizontal" action="@Url.Action("Index", "User")" method="post">
37 @Html.AntiForgeryToken()
38 <div class="form-body">
39 <div class="row">

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/

PackageTmp/Areas/Administration/Views/User/UserForm.cshtml, line 25 (Cross- Low
Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/User/UserForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.user_id <= 0) ?
"Add" : "Edit", "User")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 35

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/UserGroup/UGPermission.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("Permission",
"usergroup")">
26 <div class="portlet box red">
27 <div class="portlet-title">
28 <div class="caption"><i class="fa fa-cogs"></i> Usergroup Permission</div>

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/

PackageTmp/Areas/Administration/Views/UserGroup/UserGroupForm.cshtml, Low
line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/UserGroup/UserGroupForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.usergroup_id <=
0) ? "Add" : "Edit", "UserGroup")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 36

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
BMI/BMIForm.cshtml:22
Taint Flags:
19 <div class="row">
20 <div class="col-md-12">
21 @Html.Partial("_StatusMessage")
22 <form class="form-horizontal" method="post" action="@Url.Action((Model.bmi_id <= 0) ?
"Add" : "Edit", "BMI")">
23 @Html.AntiForgeryToken()
24 <div class="portlet light bordered">
25 <div class="portlet-title">

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/

PackageTmp/Areas/Master/Views/BMI/Index.cshtml, line 36 (Cross-Site Request Low
Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
BMI/Index.cshtml:36
Taint Flags:
33 <div class="tools"></div>
34 </div>
35 <div class="portlet-body form">
36 <form class="form-horizontal" action="@Url.Action("Index", "BMI")" method="post">
37 @Html.AntiForgeryToken()
38 <div class="form-body">
39 <div class="row">

Oct 5, 2018, 5:40 PM 37

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
CutOff/CutOffForm.cshtml:24
Taint Flags:
21 <div class="row">
22 <div class="col-md-12">
23 @Html.Partial("_StatusMessage")
24 <form class="form-horizontal" method="post" action="@Url.Action((Model.cutoff_id <= 0) ?
"Add" : "Edit", "CutOff")">
25 @Html.AntiForgeryToken()
26 <div class="portlet light bordered">
27 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Group
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Master/Views/Group/GroupForm.cshtml, line 25 (Cross-Site Low
Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
Group/GroupForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_group_id
<= 0) ? "Add" : "Edit", "Group")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 38

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
MP/MPForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.mp_id <= 0) ?
"Add" : "Edit", "MP")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Partner
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Master/Views/Partner/PartnerForm.cshtml, line 25 (Cross- Low
Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
Partner/PartnerForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" id="commentForm"
action="@Url.Action((Model.partner_id <= 0) ? "Add" : "Edit", "Partner")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 39

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
Product/ProductForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.product_id ==
null) ? "Add" : "Edit", "Product")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Question
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Master/Views/Question/QuestionForm.cshtml, line 25 (Cross- Low
Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
Question/QuestionForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_id ==
null) ? "Add" : "Edit", "Question")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 40

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
QuestionDoc/QuestionDocForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.document_id <= 0) ?
"Add" : "Edit", "QuestionDoc")" id="QuestionDoc" enctype="multipart/form-data">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.QuestionGroup
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Master/Views/QuestionGroup/QuestionGroupForm.cshtml, Low
line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
QuestionGroup/QuestionGroupForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_mapping_id
<= 0) ? "Add" : "Edit", "QuestionGroup")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 41

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
QuestionRelation/QuestionRelationForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post"
action="@Url.Action((Model.question_relation_id <= 0) ? "Add" : "Edit", "QuestionRelation")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Rate
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Master/Views/Rate/RateForm.cshtml, line 25 (Cross-Site Low
Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
Rate/RateForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" id="MRate" action="@Url.Action((Model.rate_id
<= 0) ? "Add" : "Edit", "Rate")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 42

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
SubQuestion/SubQuestionForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.sub_question_id ==
null) ? "Add" : "Edit", "SubQuestion")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Sumins
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Master/Views/Sumins/SIAForm.cshtml, line 25 (Cross-Site Low
Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
Sumins/SIAForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.id <= 0) ? "Add" :
"Edit", "Sumins")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 43

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Reg/Views/
Registration/Index.cshtml:37
Taint Flags:
34 <div class="tools"></div>
35 </div>
36 <div class="portlet-body form">
37 <form class="form-horizontal" action="@Url.Action("Index", ViewBag.uri)" method="post">
38 @Html.AntiForgeryToken()
39 <div class="form-body">
40 <div class="row">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Underwriting.Views.PostFilter
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Underwriting/Views/PostFilter/PostFilterForm.cshtml, line 25 Low
(Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Underwriting/
Views/PostFilter/PostFilterForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("Edit", "PostFilter")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

Oct 5, 2018, 5:40 PM 44

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Underwriting/
Views/PostFilter/Index.cshtml:36
Taint Flags:
33 <div class="tools"></div>
34 </div>
35 <div class="portlet-body form">
36 <form class="form-horizontal" action="@Url.Action("Index", "postfilter")" method="post">
37 @Html.AntiForgeryToken()
38 <div class="form-body">
39 <div class="row">

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.assets.modules.js
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
Low
PackageTmp/assets/modules/js/regmcu.js, line 50 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: lambda()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/assets/modules/js/
regmcu.js:50
Taint Flags:
47 $('#findDataMCUBtn').click(function () {
48 var el = $(".MCUData");
49 App.blockUI({target:".MCUData"});
50 $.getJSON("getMPMCU",
51 { mp_name_val: $('#mp_name_val').val(), mp_addr: $('#mp_addr').val(), mp_std: $
('#mp_std').val(), mp_oh: $('#mp_oh').val() },
52 function (data) {
53 var len = data.length;

Oct 5, 2018, 5:40 PM 45

© Copyright 2016 Hewlett Packard Enterprise Development LP
Cross-Site Request Forgery Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.
1.10.2.Content.Scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/
Low
Content/Scripts/jquery-1.10.2-vsdoc.js, line 1854 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall: get
Enclosing Method: getScript()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Content/Scripts/jquery-1.10.2-vsdoc.js:
1854
Taint Flags:
1851 /// A callback function that is executed if the request succeeds.
1852 /// </param>
1853
1854 return jQuery.get( url, undefined, callback, "script" );
1855 };
1856 jQuery.globalEval = function( data ) {
1857 /// <summary>

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/

Low
Content/Scripts/jquery-1.10.2-vsdoc.js, line 1841 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall: get
Enclosing Method: getJSON()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Content/Scripts/jquery-1.10.2-vsdoc.js:
1841
Taint Flags:
1838 /// A callback function that is executed if the request succeeds.
1839 /// </param>
1840
1841 return jQuery.get( url, data, callback, "json" );
1842 };
1843 jQuery.getScript = function( url, callback ) {
1844 /// <summary>

Oct 5, 2018, 5:40 PM 46

Abstract
This field is never used directly or indirectly by a public method.

Explanation
This field is never accessed, except perhaps by dead code. Dead code is defined as code that is never
directly or indirectly executed by a public method. It is likely that the field is simply vestigial, but it is also
possible that the unused field points out a bug.

Example 1: The field named glue is not used in the following class. The author of the class has
accidentally put quotes around the field name, transforming it into a string constant.

public class Dead {

string glue;

public string GetGlue() {

return "glue";
}

Example 2: The field named glue is used in the following class, but only from a method that is never
called by a public method.

public class Dead {

string glue;

private string GetGlue() {

return glue;
}

Recommendation
In general, you should repair or remove dead code. To repair dead code, execute the dead code directly or
indirectly through a public method. Dead code causes additional complexity and maintenance burden
without contributing to the functionality of the program.

Issue Summary

Oct 5, 2018, 5:40 PM 47

© Copyright 2016 Hewlett Packard Enterprise Development LP
Engine Breakdown
SCA WebInspect SecurityScope Total
Dead Code: Unused Field 6 0 0 6
Total 6 0 0 6

Dead Code: Unused Field Low

Package: CLS.Areas.Administration.Controllers
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Low
Controllers/ApprovalController.cs, line 20 (Dead Code: Unused Field)
Issue Details
Kingdom: Code Quality
Scan Engine: SCA (Structural)

Sink Details
Sink: Field: _ObjCode
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Controllers/ApprovalController.cs:
20
Taint Flags:
17 private IParamGroupService repoPG;
18 private IMenuRepository repoMenu;
19 private IUserGroupService repoUG;
20 private string _ObjCode = "PAR";
21 private QuestionDoc qDoc = null;
22
23 List<String> Scripts = new List<String>();

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/

Low
Controllers/ApprovalController.cs, line 21 (Dead Code: Unused Field)
Issue Details
Kingdom: Code Quality
Scan Engine: SCA (Structural)

Sink Details
Sink: Field: qDoc
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Controllers/ApprovalController.cs:

Oct 5, 2018, 5:40 PM 48

© Copyright 2016 Hewlett Packard Enterprise Development LP
Dead Code: Unused Field Low
Package: CLS.Areas.Administration.Controllers
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Controllers/ApprovalController.cs, line 21 (Dead Code: Unused Field) Low

21
Taint Flags:
18 private IMenuRepository repoMenu;
19 private IUserGroupService repoUG;
20 private string _ObjCode = "PAR";
21 private QuestionDoc qDoc = null;
22
23 List<String> Scripts = new List<String>();
24 CSS_REF oCSSRef = new CSS_REF();

Package: CLS.Repositories.Impl
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Repositories/Impl/
Low
UserRepository.cs, line 16 (Dead Code: Unused Field)
Issue Details
Kingdom: Code Quality
Scan Engine: SCA (Structural)

Sink Details
Sink: Field: _ObjCode
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Repositories/Impl/UserRepository.cs:16
Taint Flags:
13 public class UserRepository : BasicRepository, IUserRepository
14 {
15 AES aES = null;
16 private string _ObjCode = "USR";
17
18 public User add(User user)
19 {

Package: CLS.Utils.Helper
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/Helper.cs, line 74
Low
(Dead Code: Unused Field)
Issue Details
Kingdom: Code Quality
Scan Engine: SCA (Structural)

Sink Details
Sink: Field: _LabelApproval
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/Helper.cs:74
Taint Flags:

Oct 5, 2018, 5:40 PM 49

© Copyright 2016 Hewlett Packard Enterprise Development LP
Dead Code: Unused Field Low
Package: CLS.Utils.Helper
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/Helper.cs, line 74
Low
(Dead Code: Unused Field)
71 new labelStatus() { Status = "Waiting Payment", Label = "<span class=\"label label-sm
label-warning\"> Waiting Payment </span>"}
72 };
73
74 private static List<labelStatus> _LabelApproval = new List<labelStatus>()
75 {
76 new labelStatus() { Status = "Pending", Label = "<span class=\"label label-sm label-warning
\"> Pending </span>"},
77 new labelStatus() { Status = "Approved", Label = "<span class=\"label label-sm label-
success\"> Approved </span>"},

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/Helper.cs, line 60

Low
(Dead Code: Unused Field)
Issue Details
Kingdom: Code Quality
Scan Engine: SCA (Structural)

Sink Details
Sink: Field: _LabelStatus
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/Helper.cs:60
Taint Flags:
57 new labelActiveStatus() { Status = false, Label = "<span class=\"label label-sm label-
danger\"> Not Active </span>"}
58 };
59
60 private static List<labelStatus> _LabelStatus = new List<labelStatus>()
61 {
62 new labelStatus() { Status = "On Process", Label = "<span class=\"label label-sm label-
warning\"> On Process </span>"},
63 new labelStatus() { Status = "Pending", Label = "<span class=\"label label-sm label-warning
\"> Pending </span>"},

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/Helper.cs, line 54

Low
(Dead Code: Unused Field)
Issue Details
Kingdom: Code Quality
Scan Engine: SCA (Structural)

Sink Details
Sink: Field: _LabelActiveStatus
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/Helper.cs:54
Taint Flags:
51 return retVal;

Oct 5, 2018, 5:40 PM 50

52 }
53
54 private static List<labelActiveStatus> _LabelActiveStatus = new List<labelActiveStatus>()
55 {
56 new labelActiveStatus() { Status = true, Label = "<span class=\"label label-sm label-
success\"> Active </span>"},
57 new labelActiveStatus() { Status = false, Label = "<span class=\"label label-sm label-
danger\"> Not Active </span>"}

Oct 5, 2018, 5:40 PM 51

Abstract
This method is not reachable from any method outside the class.

Explanation
This method is never called or is only called from other dead code. Dead code is defined as code that is
never directly or indirectly executed by a public method.

Example 1: In the following class, the method DoWork() can never be called.

public class Dead {

private void DoWork() {
Console.Write("doing work");
}
public static void Main(string[] args) {
Console.Write("running Dead");
}
}

Example 2: In the following class, two private methods call each other, but since neither one is ever
invoked from anywhere else, they are both dead code.

public class DoubleDead {

private void DoTweedledee() {
DoTweedledumb();
}
private void DoTweedledumb() {
DoTweedledee();
}
public static void Main(string[] args) {
Console.Write("running DoubleDead");
}
}

(In this case it is a good thing that the methods are dead: invoking either one would cause an infinite loop.)

Recommendation
A dead method may indicate a bug in dispatch code.

Example 3: If method is flagged as dead named GetWitch() in a class that also contains the following
dispatch method, it may be because of a copy-and-paste error. The 'w' case should return GetWitch()
not GetMummy().

public ScaryThing GetScaryThing(char st) {

switch(st) {
case 'm':
return GetMummy();

Oct 5, 2018, 5:40 PM 52

In general, you should repair or remove dead code. To repair dead code, execute the dead code directly or
indirectly through a public method. Dead code causes additional complexity and maintenance burden
without contributing to the functionality of the program.

Issue Summary

Engine Breakdown
SCA WebInspect SecurityScope Total
Dead Code: Unused Method 1 0 0 1
Total 1 0 0 1

Dead Code: Unused Method Low

Package: CLS.Repositories.Impl
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Repositories/Impl/
Low
MenuRepository.cs, line 344 (Dead Code: Unused Method)
Issue Details
Kingdom: Code Quality
Scan Engine: SCA (Structural)

Sink Details
Sink: Function: buildMenuStructure
Enclosing Method: buildMenuStructure()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Repositories/Impl/MenuRepository.cs:344
Taint Flags:
341 }
342
343
344 private void buildMenuStructure(ref System.Text.StringBuilder MenuString, int MenuID,
Menu CurrentMenu)
345 {

Oct 5, 2018, 5:40 PM 53

© Copyright 2016 Hewlett Packard Enterprise Development LP
Dead Code: Unused Method Low
Package: CLS.Repositories.Impl
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Repositories/Impl/
Low
MenuRepository.cs, line 344 (Dead Code: Unused Method)
346 // Get the menu first
347 Menu oMenu = get(MenuID);

Oct 5, 2018, 5:40 PM 54

Abstract
An attacker could cause the program to crash or otherwise become unavailable to legitimate users.

Explanation
Attackers may be able to deny service to legitimate users by flooding the application with requests, but
flooding attacks can often be defused at the network layer. More problematic are bugs that allow an
attacker to overload the application using a small number of requests. Such bugs allow the attacker to
specify the quantity of system resources their requests will consume or the duration for which they will use
them.

Example 1: The following code allows a user to specify the size of the file system to be used. By specifying
a large number, an attacker may deplete file system resources.

var fsync = requestFileSystemSync(0, userInput);

Example 2: The following code writes to a file. Because the file may be continuously written and re-written
until it is deemed closed by the user agent, disk quota, IO bandwidth, and processes that may require
analyzing the content of the file are impacted.

window.requestFileSystem(window.TEMPORARY, 1024*1024, oninit, errorHandler);

Recommendation
Validate user input to ensure that it will not cause inappropriate resource utilization.

Example 3: The following code allows a user to specify the size of the file system just as in Example 1, but
only if the value is within reasonable bounds.

if (userInput >= SIZE_MIN &&

userInput <= SIZE_MAX) {
var fsync = requestFileSystemSync(0, userInput);
} else {
throw "Invalid file system size";
}
}

Oct 5, 2018, 5:40 PM 55

© Copyright 2016 Hewlett Packard Enterprise Development LP
Example 4: The following code writes to a file just as in Example 2, but the maximum file size is
MAX_FILE_LEN.

window.requestFileSystem(window.TEMPORARY, 1024*1024, oninit, errorHandler);

Issue Summary

Engine Breakdown
SCA WebInspect SecurityScope Total
Denial of Service 1 0 0 1
Total 1 0 0 1

Denial of Service Low

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.datatables
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
Low
datatables/datatables.js, line 31329 (Denial of Service)
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: embedTTF()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/datatables/datatables.js:31329

Oct 5, 2018, 5:40 PM 56

© Copyright 2016 Hewlett Packard Enterprise Development LP
Denial of Service Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.datatables
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
Low
datatables/datatables.js, line 31329 (Denial of Service)

Taint Flags:
31326 var charWidths, cmap, code, data, descriptor, firstChar, fontfile, glyph;
31327 data = this.subset.encode();
31328 fontfile = this.document.ref();
31329 fontfile.write(data);
31330 fontfile.data.Length1 = fontfile.uncompressedLength;
31331 fontfile.end();
31332 descriptor = this.document.ref({

Oct 5, 2018, 5:40 PM 57

Abstract
The web.config file does not include the required header to mitigate MIME sniffing attacks

Explanation
MIME sniffing, is the practice of inspecting the content of a byte stream to attempt to deduce the file format
of the data within it.

If MIME sniffing is not explicitly disabled, some browsers can be manipulated into interpreting data in a way
that is not intended, allowing for cross-site scripting attacks.

For each page that could contain user controllable content, you should use the HTTP Header X-Content-
Type-Options: nosniff.

Recommendation
To mitigate this finding, the programmer can either: (1) set it globally for all pages in the application in the
web.config file, or (2) set the required header page by page for only those pages that might contain user-
controllable content.

To set it globally add the header in the web.config file for the application being hosted by Internet
Information Services (IIS):

<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff"/>
</customHeaders>
</httpProtocol>
</system.webServer>

The following examples shows how to add the header to the global Application_BeginRequest
method:

void Application_BeginRequest(object sender, EventArgs e)

{
this.Response.Headers["X-Content-Type-Options"] = "nosniff";
}

The following example shows how to add it to a page by implementing a custom HTTP module using the
IHttpModule interface

public class XContentTypeOptionsModule : IHttpModule

{
...
void context_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpApplication application = sender as HttpApplication;

Oct 5, 2018, 5:40 PM 58

© Copyright 2016 Hewlett Packard Enterprise Development LP
if (application == null) return;
if (application.Response.Headers["X-Content-Type-Options"] != null)
return;
application.Response.Headers.Add("X-Content-Type-Options", "nosniff");
}
}

Issue Summary

Engine Breakdown
SCA WebInspect SecurityScope Total
HTML5: MIME Sniffing 1 0 0 1
Total 1 0 0 1

HTML5: MIME Sniffing Medium

Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.obj.Release.TransformWebConfig.assist
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/
Medium
TransformWebConfig/assist/Web.config, line 0 (HTML5: MIME Sniffing)
Issue Details
Kingdom: Environment
Scan Engine: SCA (Configuration)

Sink Details
Sink: //system.webServer/httpProtocol/customHeaders
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/TransformWebConfig/assist/Web.config:0
Taint Flags:
1 <?xml version="1.0"?>
2
3 
4
5 undefined
6 undefined
7 undefined

Oct 5, 2018, 5:40 PM 59

Abstract
A hidden form field is used.

Explanation
Programmers often trust the contents of hidden fields, expecting that users will not be able to view them or
manipulate their contents. Attackers will violate these assumptions. They will examine the values written to
hidden fields and alter them or replace the contents with attack data.

Example: An tag of type hidden indicates the use of a hidden field.

If hidden fields carry sensitive information, this information will be cached the same way the rest of the
page is cached. This can lead to sensitive information being tucked away in the browser cache without the
user's knowledge.

Recommendation
Expect that attackers will study and decode all uses of hidden fields in the application. Treat hidden fields
as untrusted input. Don't store information in hidden fields if the information should not be cached along
with the rest of the page.

Issue Summary

Engine Breakdown
SCA WebInspect SecurityScope Total
Hidden Field 5 0 0 5
Total 5 0 0 5

Oct 5, 2018, 5:40 PM 60

© Copyright 2016 Hewlett Packard Enterprise Development LP
Hidden Field Low
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.Areas.Underwriting.Views.Assessment
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/
Low
Views/Assessment/CalcPremiForm.cshtml, line 35 (Hidden Field)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/Views/Assessment/
CalcPremiForm.cshtml:35
Taint Flags:
32 </div>
33 <div class="col-md-2">
34 <input type="text" id="load_eo_view" name="load_eo_view" readonly="readonly" class="form-
control col-md-1" />
35 <input type="hidden" id="load_eo" name="load_eo" class="form-control col-md-1" />
36 </div>
37 </div>
38 <div class="row">

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Views.Shared.Registration

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/
Low
Registration/ShrdCalcPremiForm.cshtml, line 51 (Hidden Field)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/Registration/ShrdCalcPremiForm.cshtml:
51
Taint Flags:
48 </div>
49 <div class="col-md-1">
50 <input type="text" id="load_eo_view" name="load_eo_view" readonly="readonly" class="form-
control input-sm input-xsmall" />
51 <input type="hidden" id="load_eo" name="load_eo" class="form-control col-md-1" />
52 </div>
53 </div>
54 </div>

Oct 5, 2018, 5:40 PM 61

© Copyright 2016 Hewlett Packard Enterprise Development LP
Hidden Field Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.jquery-
minicolors
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
Low
jquery-minicolors/index.html, line 179 (Hidden Field)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery-minicolors/index.html:179
Taint Flags:
176 <div class="form-group">
177 <label for="hidden-input">Hidden Input</label>
178 <br>
179 <input type="hidden" id="hidden-input" class="demo" value="#db913d"> </div>
180 </div>
181 <div class="col-lg-4 col-sm-4 col-12">
182 <div class="form-group">

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/

Low
jquery-minicolors/without-bootstrap.html, line 106 (Hidden Field)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery-minicolors/without-
bootstrap.html:106
Taint Flags:
103 <div class="form-group">
104 <label for="hidden-input">Hidden Input</label>
105 <br>
106 <input type="hidden" id="hidden-input" class="demo" value="#db913d"> </div>
107 <div class="form-group">
108 <label for="inline">Inline</label>
109 <br>

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Underwriting.Views.Assessment
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Underwriting/Views/Assessment/CalcPremiForm.cshtml, line Low
35 (Hidden Field)
Issue Details
Kingdom: Encapsulation

Oct 5, 2018, 5:40 PM 62

© Copyright 2016 Hewlett Packard Enterprise Development LP
Hidden Field Low
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Underwriting.Views.Assessment
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Underwriting/Views/Assessment/CalcPremiForm.cshtml, line Low
35 (Hidden Field)

Scan Engine: SCA (Content)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Underwriting/
Views/Assessment/CalcPremiForm.cshtml:35
Taint Flags:
32 </div>
33 <div class="col-md-2">
34 <input type="text" id="load_eo_view" name="load_eo_view" readonly="readonly" class="form-
control col-md-1" />
35 <input type="hidden" id="load_eo" name="load_eo" class="form-control col-md-1" />
36 </div>
37 </div>
38 <div class="row">

Oct 5, 2018, 5:40 PM 63

Abstract
Standard pseudorandom number generators cannot withstand cryptographic attacks.

Explanation
Insecure randomness errors occur when a function that can produce predictable values is used as a source
of randomness in a security-sensitive context.

Computers are deterministic machines, and as such are unable to produce true randomness.
Pseudorandom Number Generators (PRNGs) approximate randomness algorithmically, starting with a
seed from which subsequent values are calculated.

There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical
properties, but their output is highly predictable and form an easy to reproduce numeric stream that is
unsuitable for use in cases where security depends on generated values being unpredictable.
Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a
value to be cryptographically secure, it must be impossible or highly improbable for an attacker to
distinguish between the generated random value and a truly random value. In general, if a PRNG algorithm
is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be
used in security-sensitive contexts, where its use can lead to serious vulnerabilities such as easy-to-guess
temporary passwords, predictable cryptographic keys, session hijacking, and DNS spoofing.

Example: The following code uses a statistical PRNG to create a URL for a receipt that remains active for
some period of time after a purchase.

function genReceiptURL (baseURL){

var randNum = Math.random();
var receiptURL = baseURL + randNum + ".html";
return receiptURL;
}

This code uses the Math.random() function to generate "unique" identifiers for the receipt pages it
generates. Since Math.random() is a statistical PRNG, it is easy for an attacker to guess the strings it
generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it
used a random number generator that did not produce predictable receipt identifiers, such as a
cryptographic PRNG.

Recommendation
When unpredictability is critical, as is the case with most security-sensitive uses of randomness, use a
cryptographic PRNG. Regardless of the PRNG you choose, always use a value with sufficient entropy to
seed the algorithm. (Values such as the current time offer only negligible entropy and should not be used.)

In JavaScript, the typical recommendation is to use the window.crypto.random() function in the

Mozilla API. However, this method does not work in many browsers, including more recent versions of
Mozilla Firefox. There is currently no cross-browser solution for a robust cryptographic PRNG. In the
meantime, consider handling any PRNG functionality outside of JavaScript.

Issue Summary

Oct 5, 2018, 5:40 PM 64

© Copyright 2016 Hewlett Packard Enterprise Development LP
Engine Breakdown
SCA WebInspect SecurityScope Total
Insecure Randomness 1 0 0 1
Total 1 0 0 1

Insecure Randomness High

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
High
app.min.js, line 1 (Insecure Randomness)
Issue Details
Kingdom: Security Features
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: getUniqueID()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/app.min.js:1
Taint Flags:
1 var App=function(){var t,e=!1,o=!1,a=!1,i=!1,n=[],l="../../assets/",s="global/
img/",r="global/plugins/",c="global/
css/",d={blue:"#89C4F4",red:"#F3565D",green:"#1bbc9b",purple:"#9b59b6",grey:"#95a5a6",yellow:"#F8CB00"},h
{"rtl"===$("body").css("direction")&&(e=!0),o=!!navigator.userAgent.match(/MSIE 8.0/),a=!!
navigator.userAgent.match(/MSIE 9.0/),i=!!navigator.userAgent.match(/MSIE 10.0/),i&&$
("html").addClass("ie10"),(i||a||o)&&$("html").addClass("ie")},p=function(){for(var
t=0;t<n.length;t++){var e=n[t];e.call()}},u=function(){var t;if(o){var e;$
(window).resize(function(){e!
=document.documentElement.clientHeight&&(t&&clearTimeout(t),t=setTimeout(function(){p()},
50),e=document.documentElement.clientHeight)})}else $(window).resize(function()
{t&&clearTimeout(t),t=setTimeout(function(){p()},50)})},f=function(){$
("body").on("click",".portlet > .portlet-title > .tools > a.remove",function(t)
{t.preventDefault();var e=$(this).closest(".portlet");$("body").hasClass("page-portlet-
fullscreen")&&$("body").removeClass("page-portlet-fullscreen"),e.find(".portlet-
title .fullscreen").tooltip("destroy"),e.find(".portlet-title > .tools
> .reload").tooltip("destroy"),e.find(".portlet-title > .tools
> .remove").tooltip("destroy"),e.find(".portlet-title > .tools
> .config").tooltip("destroy"),e.find(".portlet-title > .tools > .collapse, .portlet
> .portlet-title > .tools > .expand").tooltip("destroy"),e.remove()}),$
("body").on("click",".portlet > .portlet-title .fullscreen",function(t){t.preventDefault();var
e=$(this).closest(".portlet");if(e.hasClass("portlet-fullscreen"))$
(this).removeClass("on"),e.removeClass("portlet-fullscreen"),$("body").removeClass("page-
portlet-fullscreen"),e.children(".portlet-body").css("height","auto");else{var
o=App.getViewPort().height-e.children(".portlet-title").outerHeight()-

Oct 5, 2018, 5:40 PM 65

© Copyright 2016 Hewlett Packard Enterprise Development LP
Insecure Randomness High
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
High
app.min.js, line 1 (Insecure Randomness)
parseInt(e.children(".portlet-body").css("padding-top"))-parseInt(e.children(".portlet-
body").css("padding-bottom"));$(this).addClass("on"),e.addClass("portlet-fullscreen"),$
("body").addClass("page-portlet-fullscreen"),e.children(".portlet-body").css("height",o)}}),$
("body").on("click",".portlet > .portlet-title > .tools > a.reload",function(t)
{t.preventDefault();var e=$(this).closest(".portlet").children(".portlet-body"),o=$
(this).attr("data-url"),a=$(this).attr("data-error-display");o?(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),$.ajax({type:"GET",cache:!1,url:o,dataType:"html",success:function(t)
{App.unblockUI(e),e.html(t),App.initAjax()},error:function(t,o,i){App.unblockUI(e);var
n="Error on reloading the content. Please check your connection and try
again.";"toastr"==a&&toastr?toastr.error(n):"notific8"==a&&$.notific8?($.notific8("zindex",
11500),$.notific8(n,{theme:"ruby",life:3e3})):alert(n)}})):(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),window.setTimeout(function(){App.unblockUI(e)},1e3))}),$
('.portlet .portlet-title a.reload[data-load="true"]').click(),$("body").on("click",".portlet
> .portlet-title > .tools > .collapse, .portlet .portlet-title > .tools > .expand",function(t)
{t.preventDefault();var e=$(this).closest(".portlet").children(".portlet-body");$
(this).hasClass("collapse")?($
(this).removeClass("collapse").addClass("expand"),e.slideUp(200)):($
(this).removeClass("expand").addClass("collapse"),e.slideDown(200))})},b=function(){if($
().uniform){var t=$("input[type=checkbox]:not(.toggle, .md-check, .md-radiobtn, .make-
switch, .icheck), input[type=radio]:not(.toggle, .md-check, .md-radiobtn, .star, .make-
switch, .icheck)");t.size()>0&&t.each(function(){0===$(this).parents(".checker").size()&&($
(this).show(),$(this).uniform())})}},g=function(){if($("body").on("click",".md-checkbox >
label, .md-radio > label",function(){var t=$(this),e=$(this).children("span:first-
child");e.addClass("inc");var o=e.clone(!0);e.before(o),$("."+e.attr("class")
+":last",t).remove()}),$("body").hasClass("page-md")){var t,e,o,a,i;$
("body").on("click","a.btn, button.btn, input.btn, label.btn",function(n){t=$(this),
0==t.find(".md-click-circle").length&&t.prepend("<span class='md-click-circle'></
span>"),e=t.find(".md-click-circle"),e.removeClass("md-click-animate"),e.height()||e.width()||
(o=Math.max(t.outerWidth(),t.outerHeight()),e.css({height:o,width:o})),a=n.pageX-
t.offset().left-e.width()/2,i=n.pageY-t.offset().top-e.height()/2,e.css({top:i+"px",left:a
+"px"}).addClass("md-click-animate"),setTimeout(function(){e.remove()},1e3)})}var n=function(t)
{""!=t.val()?t.addClass("edited"):t.removeClass("edited")};$("body").on("keydown",".form-md-
floating-label .form-control",function(t){n($(this))}),$("body").on("blur",".form-md-floating-
label .form-control",function(t){n($(this))}),$(".form-md-floating-label .form-
control").each(function(){$(this).val().length>0&&$(this).addClass("edited")})},m=function(){$
().iCheck&&$(".icheck").each(function(){var t=$(this).attr("data-checkbox")?$(this).attr("data-
checkbox"):"icheckbox_minimal-grey",e=$(this).attr("data-radio")?$(this).attr("data-
radio"):"iradio_minimal-grey";t.indexOf("_line")>-1||e.indexOf("_line")>-1?$
(this).iCheck({checkboxClass:t,radioClass:e,insert:'<div class="icheck_line-icon"></div>'+$
(this).attr("data-label")}):$(this).iCheck({checkboxClass:t,radioClass:e})})},v=function(){$
().bootstrapSwitch&&$(".make-switch").bootstrapSwitch()},y=function(){$().confirmation&&$
("[data-toggle=confirmation]").confirmation({container:"body",btnOkClass:"btn btn-sm btn-
success",btnCancelClass:"btn btn-sm btn-danger"})},C=function(){$
("body").on("shown.bs.collapse",".accordion.scrollable",function(t){App.scrollTo($
(t.target))})},k=function(){if(location.hash){var t=encodeURI(location.hash.substr(1));$
('a[href="#'+t+'"]').parents(".tab-pane:hidden").each(function(){var t=$(this).attr("id");$
('a[href="#'+t+'"]').click()}),$('a[href="#'+t+'"]').click()}$().tabdrop&&$(".tabbable-
tabdrop .nav-pills, .tabbable-tabdrop .nav-tabs").tabdrop({text:'<i class="fa fa-ellipsis-v"></
i> <i class="fa fa-angle-down"></i>'})},x=function(){$
("body").on("hide.bs.modal",function(){$(".modal:visible").size()>1&&$("html").hasClass("modal-
open")===!1?$("html").addClass("modal-open"):$(".modal:visible").size()<=1&&$
("html").removeClass("modal-open")}),$("body").on("show.bs.modal",".modal",function(){$
(this).hasClass("modal-scroll")&&$("body").addClass("modal-open-noscroll")}),$
("body").on("hide.bs.modal",".modal",function(){$("body").removeClass("modal-open-noscroll")}),
$("body").on("hidden.bs.modal",".modal:not(.modal-cached)",function(){$
(this).removeData("bs.modal")})},w=function(){$(".tooltips").tooltip(),$(".portlet > .portlet-
title .fullscreen").tooltip({container:"body",title:"Fullscreen"}),$(".portlet > .portlet-
title > .tools > .reload").tooltip({container:"body",title:"Reload"}),$(".portlet > .portlet-
title > .tools > .remove").tooltip({container:"body",title:"Remove"}),$(".portlet > .portlet-

Oct 5, 2018, 5:40 PM 66

© Copyright 2016 Hewlett Packard Enterprise Development LP
Insecure Randomness High
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
High
app.min.js, line 1 (Insecure Randomness)
title > .tools > .config").tooltip({container:"body",title:"Settings"}),$(".portlet > .portlet-
title > .tools > .collapse, .portlet > .portlet-title > .tools
> .expand").tooltip({container:"body",title:"Collapse/Expand"})},I=function(){$
("body").on("click",".dropdown-menu.hold-on-click",function(t)
{t.stopPropagation()})},z=function(){$("body").on("click",'[data-close="alert"]',function(t){$
(this).parent(".alert").hide(),$(this).closest(".note").hide(),t.preventDefault()}),$
("body").on("click",'[data-close="note"]',function(t){$
(this).closest(".note").hide(),t.preventDefault()}),$("body").on("click",'[data-
remove="note"]',function(t){$
(this).closest(".note").remove(),t.preventDefault()})},A=function(){$('[data-
hover="dropdown"]').not(".hover-initialized").each(function(){$(this).dropdownHover(),$
(this).addClass("hover-initialized")})},S=function(){"function"==typeof
autosize&&autosize(document.querySelector("textarea.autosizeme"))},P=function(){$
(".popovers").popover(),$(document).on("click.bs.popover.data-api",function(e)
{t&&t.popover("hide")})},T=function(){App.initSlimScroll(".scroller")},U=function()
{jQuery.fancybox&&$(".fancybox-button").size()>0&&$(".fancybox-
button").fancybox({groupAttr:"data-rel",prevEffect:"none",nextEffect:"none",closeBtn:!
0,helpers:{title:{type:"inside"}}})},D=function(){$().counterUp&&$("[data-
counter='counterup']").counterUp({delay:10,time:1e3})},E=function(){(o||a)&&$
("input[placeholder]:not(.placeholder-no-fix), textarea[placeholder]:not(.placeholder-no-
fix)").each(function(){var t=$(this);""===t.val()&&""!
==t.attr("placeholder")&&t.addClass("placeholder").val(t.attr("placeholder")),t.focus(function()
{t.val()==t.attr("placeholder")&&t.val("")}),t.blur(function(){(""===t.val()||
t.val()==t.attr("placeholder"))&&t.val(t.attr("placeholder"))})})},G=function(){$
().select2&&($.fn.select2.defaults.set("theme","bootstrap"),$
(".select2me").select2({placeholder:"Select",width:"auto",allowClear:!0}))},H=function(){$
("[data-auto-height]").each(function(){var t=$(this),e=$("[data-height]",t),o=0,a=t.attr("data-
mode"),i=parseInt(t.attr("data-offset")?t.attr("data-offset"):0);e.each(function(){"height"==$
(this).attr("data-height")?$(this).css("height",""):$(this).css("min-height","");var t="base-
height"==a?$(this).outerHeight():$(this).outerHeight(!0);t>o&&(o=t)}),o+=i,e.each(function()
{"height"==$(this).attr("data-height")?$(this).css("height",o):$(this).css("min-
height",o)}),t.attr("data-related")&&$(t.attr("data-
related")).css("height",t.height())})};return{init:function()
{h(),u(),g(),b(),m(),v(),T(),U(),G(),f(),z(),I(),k(),w(),P(),C(),x(),y(),S(),D(),this.addResizeHandler(H)
{b(),m(),v(),A(),T(),G(),U(),I(),w(),P(),C(),y()},initComponents:function()
{this.initAjax()},setLastPopedPopover:function(e){t=e},addResizeHandler:function(t)
{n.push(t)},runResizeHandlers:function(){p()},scrollTo:function(t,e){var o=t&&t.size()>0?
t.offset().top:0;t&&($("body").hasClass("page-header-fixed")?o-=$(".page-header").height():$
("body").hasClass("page-header-top-fixed")?o-=$(".page-header-top").height():$
("body").hasClass("page-header-menu-fixed")&&(o-=$(".page-header-menu").height()),o+=e?
e:-1*t.height()),$("html,body").animate({scrollTop:o},"slow")},initSlimScroll:function(t){$
(t).each(function(){if(!$(this).attr("data-initialized")){var t;t=$(this).attr("data-height")?$
(this).attr("data-height"):$(this).css("height"),$(this).slimScroll({allowPageScroll:!
0,size:"7px",color:$(this).attr("data-handle-color")?$(this).attr("data-handle-
color"):"#bbb",wrapperClass:$(this).attr("data-wrapper-class")?$(this).attr("data-wrapper-
class"):"slimScrollDiv",railColor:$(this).attr("data-rail-color")?$(this).attr("data-rail-
color"):"#eaeaea",position:e?"left":"right",height:t,alwaysVisible:"1"==$(this).attr("data-
always-visible")?!0:!1,railVisible:"1"==$(this).attr("data-rail-visible")?!0:!
1,disableFadeOut:!0}),$(this).attr("data-initialized","1")}})},destroySlimScroll:function(t){$
(t).each(function(){if("1"===$(this).attr("data-initialized")){$(this).removeAttr("data-
initialized"),$(this).removeAttr("style");var t={};$(this).attr("data-handle-color")&&(t["data-
handle-color"]=$(this).attr("data-handle-color")),$(this).attr("data-wrapper-class")&&(t["data-
wrapper-class"]=$(this).attr("data-wrapper-class")),$(this).attr("data-rail-color")&&(t["data-
rail-color"]=$(this).attr("data-rail-color")),$(this).attr("data-always-visible")&&(t["data-
always-visible"]=$(this).attr("data-always-visible")),$(this).attr("data-rail-
visible")&&(t["data-rail-visible"]=$(this).attr("data-rail-visible")),$
(this).slimScroll({wrapperClass:$(this).attr("data-wrapper-class")?$(this).attr("data-wrapper-
class"):"slimScrollDiv",destroy:!0});var e=$(this);$.each(t,function(t,o)
{e.attr(t,o)})}})},scrollTop:function(){App.scrollTo()},blockUI:function(t){t=$.extend(!0,

Oct 5, 2018, 5:40 PM 67

© Copyright 2016 Hewlett Packard Enterprise Development LP
Insecure Randomness High
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
High
app.min.js, line 1 (Insecure Randomness)
{},t);var e="";if(e=t.animate?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><div class="block-spinner-bar"><div class="bounce1"></div><div class="bounce2"></
div><div class="bounce3"></div></div></div>':t.iconOnly?'<div class="loading-message '+
(t.boxed?"loading-message-boxed":"")+'"><img src="'+this.getGlobalImgPath()+'loading-spinner-
grey.gif" align=""></div>':t.textOnly?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><span>  '+(t.message?t.message:"LOADING...")+"</span></div>":'<div
class="loading-message '+(t.boxed?"loading-message-boxed":"")+'"><img
src="'+this.getGlobalImgPath()+'loading-spinner-grey.gif" align=""><span>  '+
(t.message?t.message:"LOADING...")+"</span></div>",t.target){var o=$(t.target);o.height()<=$
(window).height()&&(t.cenrerY=!0),o.block({message:e,baseZ:t.zIndex?t.zIndex:1e3,centerY:void
0!==t.cenrerY?t.cenrerY:!1,css:
{top:"10%",border:"0",padding:"0",backgroundColor:"none"},overlayCSS:
{backgroundColor:t.overlayColor?t.overlayColor:"#555",opacity:t.boxed?.05:.1,cursor:"wait"}})}
else $.blockUI({message:e,baseZ:t.zIndex?t.zIndex:1e3,css:
{border:"0",padding:"0",backgroundColor:"none"},overlayCSS:{backgroundColor:t.overlayColor?
t.overlayColor:"#555",opacity:t.boxed?.05:.1,cursor:"wait"}})},unblockUI:function(t){t?$
(t).unblock({onUnblock:function(){$(t).css("position",""),$(t).css("zoom","")}}):
$.unblockUI()},startPageLoading:function(t){t&&t.animate?($(".page-spinner-bar").remove(),$
("body").append('<div class="page-spinner-bar"><div class="bounce1"></div><div
class="bounce2"></div><div class="bounce3"></div></div>')):($(".page-loading").remove(),$
("body").append('<div class="page-loading"><img src="'+this.getGlobalImgPath()+'loading-
spinner-grey.gif"/>  <span>'+(t&&t.message?t.message:"Loading...")+"</span></
div>"))},stopPageLoading:function(){$(".page-loading, .page-spinner-
bar").remove()},alert:function(t){t=$.extend(!0,
{container:"",place:"append",type:"success",message:"",close:!0,reset:!0,focus:!
0,closeInSeconds:0,icon:""},t);var e=App.getUniqueID("App_alert"),o='<div id="'+e+'"
class="custom-alerts alert alert-'+t.type+' fade in">'+(t.close?'<button type="button"
class="close" data-dismiss="alert" aria-hidden="true"></button>':"")+(""!==t.icon?'<i
class="fa-lg fa fa-'+t.icon+'"></i> ':"")+t.message+"</div>";return t.reset&&$(".custom-
alerts").remove(),t.container?"append"==t.place?$(t.container).append(o):$
(t.container).prepend(o):1===$(".page-fixed-main-content").size()?$(".page-fixed-main-
content").prepend(o):($("body").hasClass("page-container-bg-solid")||$("body").hasClass("page-
content-white"))&&0===$(".page-head").size()?$(".page-title").after(o):$(".page-bar").size()>0?
$(".page-bar").after(o):$(".page-breadcrumb, .breadcrumbs").after(o),t.focus&&App.scrollTo($
("#"+e)),t.closeInSeconds>0&&setTimeout(function(){$("#"+e).remove()},
1e3*t.closeInSeconds),e},initUniform:function(t){t?$(t).each(function(){0===$
(this).parents(".checker").size()&&($(this).show(),$
(this).uniform())}):b()},updateUniform:function(t){$.uniform.update(t)},initFancybox:function()
{U()},getActualVal:function(t){return t=$
(t),t.val()===t.attr("placeholder")?"":t.val()},getURLParameter:function(t){var
e,o,a=window.location.search.substring(1),i=a.split("&");for(e=0;e<i.length;e+
+)if(o=i[e].split("="),o[0]==t)return unescape(o[1]);return null},isTouchDevice:function()
{try{return document.createEvent("TouchEvent"),!0}catch(t){return!1}},getViewPort:function()
{var t=window,e="inner";return"innerWidth"in window||(e="client",t=document.documentElement||
document.body),{width:t[e+"Width"],height:t[e+"Height"]}},getUniqueID:function(t)
{return"prefix_"+Math.floor(Math.random()*(new Date).getTime())},isIE8:function(){return
o},isIE9:function(){return a},isRTL:function(){return e},isAngularJsApp:function()
{return"undefined"==typeof angular?!1:!0},getAssetsPath:function(){return
l},setAssetsPath:function(t){l=t},setGlobalImgPath:function(t){s=t},getGlobalImgPath:function()
{return l+s},setGlobalPluginsPath:function(t){r=t},getGlobalPluginsPath:function(){return l
+r},getGlobalCssPath:function(){return l+c},getBrandColor:function(t){return d[t]?
d[t]:""},getResponsiveBreakpoint:function(t){var e={xs:480,sm:768,md:992,lg:1200};return e[t]?
e[t]:0}}}();jQuery(document).ready(function(){App.init()});
2
3 undefined
4 undefined
5 undefined

Oct 5, 2018, 5:40 PM 68

Oct 5, 2018, 5:40 PM 69

Abstract
Applications that use JavaScript notation to transport sensitive data can be vulnerable to JavaScript
hijacking, which allows an unauthorized attacker to read confidential data from a vulnerable application.

Explanation
An application may be vulnerable to JavaScript hijacking if it: 1) Uses JavaScript objects as a data transfer
format 2) Handles confidential data. Because JavaScript hijacking vulnerabilities do not occur as a direct
result of a coding mistake, the Fortify Secure Coding Rulepacks call attention to potential JavaScript
hijacking vulnerabilities by identifying code that appears to generate JavaScript in an HTTP response.

Web browsers enforce the Same Origin Policy in order to protect users from malicious websites. The Same
Origin Policy requires that, in order for JavaScript to access the contents of a web page, both the
JavaScript and the web page must originate from the same domain. Without the Same Origin Policy, a
malicious website could serve up JavaScript that loads sensitive information from other websites using a
client's credentials, culls through it, and communicates it back to the attacker. JavaScript hijacking allows
an attacker to bypass the Same Origin Policy in the case that a web application uses JavaScript to
communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript
from any website to be included and executed in the context of any other website. Even though a malicious
site cannot directly examine any data loaded from a vulnerable site on the client, it can still take advantage
of this loophole by setting up an environment that allows it to witness the execution of the JavaScript and
any relevant side effects it may have. Since many Web 2.0 applications use JavaScript as a data transport
mechanism, they are often vulnerable while traditional web applications are not.

The most popular format for communicating information in JavaScript is JavaScript Object Notation
(JSON). The JSON RFC defines JSON syntax to be a subset of JavaScript object literal syntax. JSON is
based on two types of data structures: arrays and objects. Any data transport format where messages can
be interpreted as one or more valid JavaScript statements is vulnerable to JavaScript hijacking. JSON
makes JavaScript hijacking easier by the fact that a JSON array stands on its own as a valid JavaScript
statement. Since arrays are a natural form for communicating lists, they are commonly used wherever an
application needs to communicate multiple values. Put another way, a JSON array is directly vulnerable to
JavaScript hijacking. A JSON object is only vulnerable if it is wrapped in some other JavaScript construct
that stands on its own as a valid JavaScript statement.

Example 1: The following example begins by showing a legitimate JSON interaction between the client
and server components of a web application used to manage sales leads. It goes on to show how an
attacker may mimic the client and gain access to the confidential data the server returns. Note that this
example is written for Mozilla-based browsers. Other mainstream browsers do not allow native constructors
to be overridden when an object is created without the use of the new operator.

The client requests data from a server and evaluates the result as JSON with the following code:

var object;
var req = new XMLHttpRequest();
req.open("GET", "/object.json",true);
req.onreadystatechange = function () {
if (req.readyState == 4) {
var txt = req.responseText;
object = eval("(" + txt + ")");
req = null;
}
};

Oct 5, 2018, 5:40 PM 70

When the code runs, it generates an HTTP request that looks like this:

GET /object.json HTTP/1.1

...
Host: www.example.com
Cookie: JSESSIONID=F2rN6HopNzsfXFjHX1c5Ozxi0J5SQZTr4a5YJaSbAiTnRR

(In this HTTP response and the one that follows we have elided HTTP headers that are not directly relevant
to this explanation.)
The server responds with an array in JSON format:

HTTP/1.1 200 OK
Cache-control: private
Content-Type: text/JavaScript; charset=utf-8
...
[{"fname":"Brian", "lname":"Chess", "phone":"6502135600",
"purchases":60000.00, "email":"[email protected]" },
{"fname":"Katrina", "lname":"O'Neil", "phone":"6502135600",
"purchases":120000.00, "email":"[email protected]" },
{"fname":"Jacob", "lname":"West", "phone":"6502135600",
"purchases":45000.00, "email":"[email protected]" }]

In this case, the JSON contains confidential information associated with the current user (a list of sales
leads). Other users cannot access this information without knowing the user's session identifier. (In most
modern web applications, the session identifier is stored as a cookie.) However, if a victim visits a malicious
website, the malicious site can retrieve the information using JavaScript hijacking. If a victim can be tricked
into visiting a web page that contains the following malicious code, the victim's lead information will be sent
to the attacker's web site.

Oct 5, 2018, 5:40 PM 71

The malicious code uses a script tag to include the JSON object in the current page. The web browser will
send up the appropriate session cookie with the request. In other words, this request will be handled just as
though it had originated from the legitimate application.

When the JSON array arrives on the client, it will be evaluated in the context of the malicious page. In order
to witness the evaluation of the JSON, the malicious page has redefined the JavaScript function used to
create new objects. In this way, the malicious code has inserted a hook that allows it to get access to the
creation of each object and transmit the object's contents back to the malicious site. Other attacks might
override the default constructor for arrays instead. Applications that are built to be used in a mashup
sometimes invoke a callback function at the end of each JavaScript message. The callback function is
meant to be defined by another application in the mashup. A callback function makes a JavaScript
hijacking attack a trivial affair -- all the attacker has to do is define the function. An application can be
mashup-friendly or it can be secure, but it cannot be both. If the user is not logged into the vulnerable site,
the attacker may compensate by asking the user to log in and then displaying the legitimate login page for
the application.

This is not a phishing attack -- the attacker does not gain access to the user's credentials -- so anti-
phishing countermeasures will not be able to defeat the attack. More complex attacks could make a series
of requests to the application by using JavaScript to dynamically generate script tags. This same technique
is sometimes used to create application mashups. The only difference is that, in this mashup scenario, one
of the applications involved is malicious.

Recommendation
All programs that communicate using JavaScript should take the following defensive measures: 1) Decline
malicious requests: Include a hard-to-guess identifier, such as the session identifier, as part of each
request that will return JavaScript. This defeats cross-site request forgery attacks by allowing the server to
validate the origin of the request. 2) Prevent direct execution of the JavaScript response: Include
characters in the response that prevent it from being successfully handed off to a JavaScript interpreter
without modification. This prevents an attacker from using a

Issue Summary

Oct 5, 2018, 5:40 PM 72

© Copyright 2016 Hewlett Packard Enterprise Development LP
Engine Breakdown
SCA WebInspect SecurityScope Total
JavaScript Hijacking 1 0 0 1
Total 1 0 0 1

JavaScript Hijacking Low

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
Low
respond.min.js, line 6 (JavaScript Hijacking)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: v()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/respond.min.js:6
Taint Flags:
3 window.matchMedia=window.matchMedia||function(a){"use strict";var
c,d=a.documentElement,e=d.firstElementChild||
d.firstChild,f=a.createElement("body"),g=a.createElement("div");return g.id="mq-
test-1",g.style.cssText="position:absolute;top:-100em",f.style.background="none",f.appendChild(g),functio
{return g.innerHTML='<style media="'+a+'"> #mq-test-1 { width: 42px; }</
style>',d.insertBefore(f,e),c=42===g.offsetWidth,d.removeChild(f),{matches:c,media:a}}}
(document);
4
5 /*! Respond.js v1.1.0: min/max-width media query polyfill. (c) Scott Jehl. MIT/GPLv2 Lic.
j.mp/respondjs */
6 (function(a){"use strict";function x(){u(!0)}var b={};if(a.respond=b,b.update=function()
{},b.mediaQueriesSupported=a.matchMedia&&a.matchMedia("only all").matches,!
b.mediaQueriesSupported){var
q,r,t,c=a.document,d=c.documentElement,e=[],f=[],g=[],h={},i=30,j=c.getElementsByTagName("head")
[0]||d,k=c.getElementsByTagName("base")[0],l=j.getElementsByTagName("link"),m=[],n=function()
{for(var b=0;l.length>b;b++){var
c=l[b],d=c.href,e=c.media,f=c.rel&&"stylesheet"===c.rel.toLowerCase();d&&f&&!
h[d]&&(c.styleSheet&&c.styleSheet.rawCssText?(p(c.styleSheet.rawCssText,d,e),h[d]=!0):(!/^([a-
zA-Z:]*\/\/)/.test(d)&&!k||d.replace(RegExp.$1,"").split("/")
[0]===a.location.host)&&m.push({href:d,media:e}))}o()},o=function(){if(m.length){var
b=m.shift();v(b.href,function(c){p(c,b.href,b.media),h[b.href]=!0,a.setTimeout(function(){o()},
0)})}},p=function(a,b,c){var d=a.match(/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/
gi),g=d&&d.length||0;b=b.substring(0,b.lastIndexOf("/"));var h=function(a){return a.replace(/
(url$)['"]?([^\/$'"][^:\)'"]+)['"]?(\))/g,"$1"+b+"$2$3")},i=!g&&c;b.length&&(b
+="/"),i&&(g=1);for(var j=0;g>j;j++){var k,l,m,n;i?(k=c,f.push(h(a))):(k=d[j].match(/@media
*([^\{]+)\{([\S\s]+?)$/)&&RegExp.$1,f.push(RegExp.$2&&h(RegExp.
$2))),m=k.split(","),n=m.length;for(var o=0;n>o;o++)l=m[o],e.push({media:l.split("(")
[0].match(/(only\s+)?([a-zA-Z]+)\s?/)&&RegExp.
$2||"all",rules:f.length-1,hasquery:l.indexOf("(")>-1,minw:l.match(/$\s*min\-width\s*:
\s*(\s*[0-9\.]+)(px|em)\s*$/)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:l.match(/$\s*max\-
width\s*:\s*(\s*[0-9\.]+)(px|em)\s*$/)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}
u()},s=function(){var a,b=c.createElement("div"),e=c.body,f=!1;return
b.style.cssText="position:absolute;font-size:1em;width:1em",e||
(e=f=c.createElement("body"),e.style.background="none"),e.appendChild(b),d.insertBefore(e,d.firstChild),a
d.removeChild(e):e.removeChild(b),a=t=parseFloat(a)},u=function(b){var
h="clientWidth",k=d[h],m="CSS1Compat"===c.compatMode&&k||c.body[h]||
k,n={},o=l[l.length-1],p=(new Date).getTime();if(b&&q&&i>p-q)return
a.clearTimeout(r),r=a.setTimeout(u,i),void 0;q=p;for(var v in e)if(e.hasOwnProperty(v)){var

Oct 5, 2018, 5:40 PM 73

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
Low
respond.min.js, line 6 (JavaScript Hijacking)
w=e[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?t||
s():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?t||s():1)),w.hasquery&&(z&&A||!(z||m>=x)||!(A||
y>=m))||(n[w.media]||(n[w.media]=[]),n[w.media].push(f[w.rules]))}for(var C in
g)g.hasOwnProperty(C)&&g[C]&&g[C].parentNode===j&&j.removeChild(g[C]);for(var D in
n)if(n.hasOwnProperty(D)){var E=c.createElement("style"),F=n[D].join("\n");E.type="text/
css",E.media=D,j.insertBefore(E,o.nextSibling),E.styleSheet?
E.styleSheet.cssText=F:E.appendChild(c.createTextNode(F)),g.push(E)}},v=function(a,b){var
c=w();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!
==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))},w=function()
{var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}
return function(){return b}}();n(),b.update=n,a.addEventListener?
a.addEventListener("resize",x,!1):a.attachEvent&&a.attachEvent("onresize",x)}})(this);
7
8 undefined
9 undefined

Oct 5, 2018, 5:40 PM 74

The client requests data from a server and evaluates the result as JSON with the following code:

Oct 5, 2018, 5:40 PM 75

When the code runs, it generates an HTTP request that looks like this:

GET /object.json HTTP/1.1

...
Host: www.example.com
Cookie: JSESSIONID=F2rN6HopNzsfXFjHX1c5Ozxi0J5SQZTr4a5YJaSbAiTnRR

(In this HTTP response and the one that follows we have elided HTTP headers that are not directly relevant
to this explanation.)
The server responds with an array in JSON format:

// Send the captured object back to the attacker's web site

Oct 5, 2018, 5:40 PM 76

Issue Summary

Oct 5, 2018, 5:40 PM 77

© Copyright 2016 Hewlett Packard Enterprise Development LP
Engine Breakdown
SCA WebInspect SecurityScope Total
JavaScript Hijacking: Vulnerable Framework 19 0 0 19
Total 19 0 0 19

JavaScript Hijacking: Vulnerable Framework Low

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.datatables
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
Low
datatables/datatables.js, line 81920 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: lambda()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/datatables/datatables.js:81920
Taint Flags:
81917 * get async to the remainder of this function we use bInitHandedOff to indicate that
81918 * _fnInitialise will be fired by the returned Ajax handler, rather than the constructor
81919 */
81920 $.ajax( {
81921 dataType: 'json',
81922 url: oLanguage.sUrl,
81923 success: function ( json ) {

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/

Low
datatables/datatables.js, line 78148 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: _fnBuildAjax()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/datatables/datatables.js:78148
Taint Flags:
78145 else
78146 {
78147 // Object to extend the base settings
78148 oSettings.jqXHR = $.ajax( $.extend( baseAjax, ajax ) );
78149
78150 // Restore for next time around
78151 ajax.data = ajaxData;

Oct 5, 2018, 5:40 PM 78

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.datatables
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
datatables/datatables.js, line 78136 (JavaScript Hijacking: Vulnerable Framework) Low
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: _fnBuildAjax()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/datatables/datatables.js:78136
Taint Flags:
78133 else if ( oSettings.sAjaxSource || typeof ajax === 'string' )
78134 {
78135 // DataTables 1.9- compatibility
78136 oSettings.jqXHR = $.ajax( $.extend( baseAjax, {
78137 url: ajax || oSettings.sAjaxSource
78138 } ) );
78139 }

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.assets.global.plugins.fullcalendar
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
fullcalendar/fullcalendar.js, line 9457 (JavaScript Hijacking: Vulnerable Low
Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: _fetchEventSource()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/fullcalendar/fullcalendar.js:9457
Taint Flags:
9454 }
9455
9456 t.pushLoading();
9457 $.ajax($.extend({}, ajaxDefaults, source, {
9458 data: data,
9459 success: function(events) {
9460 events = events || [];

Oct 5, 2018, 5:40 PM 79

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.jquery-
inputmask
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
jquery-inputmask/jquery.inputmask.bundle.js, line 2473 (JavaScript Hijacking: Low
Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: mask()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery-inputmask/
jquery.inputmask.bundle.js:2473
Taint Flags:
2470 mask: function(opts) {
2471 opts.definitions["#"] = opts.definitions[9];
2472 var maskList = [];
2473 return $.ajax({
2474 url: opts.url,
2475 async: !1,
2476 dataType: "json",

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.jquery-

inputmask.inputmask
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
jquery-inputmask/inputmask/inputmask.phone.extensions.js, line 18 (JavaScript Low
Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: mask()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery-inputmask/inputmask/
inputmask.phone.extensions.js:18
Taint Flags:
15 mask: function(opts) {
16 opts.definitions["#"] = opts.definitions[9];
17 var maskList = [];
18 return $.ajax({
19 url: opts.url,
20 async: !1,
21 dataType: "json",

Oct 5, 2018, 5:40 PM 80

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.jquery-
validation.js
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
jquery-validation/js/jquery.validate.js, line 1329 (JavaScript Hijacking: Vulnerable Low
Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Sink Details
Sink: FunctionPointerCall
Enclosing Method: remote()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery-validation/js/
jquery.validate.js:1329
Taint Flags:
1326 this.startRequest( element );
1327 data = {};
1328 data[ element.name ] = value;
1329 $.ajax( $.extend( true, {
1330 mode: "abort",
1331 port: "validate" + element.name,
1332 dataType: "json",

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
Low
app.js, line 144 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Data Flow)

Source Details
Source: Read type
From: lambda
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/ap
p.js:145
142 overlayColor: 'none'
143 });
144 $.ajax({
145 type: "GET",
146 cache: false,
147 url: url,
148 dataType: "html",

Sink Details

Oct 5, 2018, 5:40 PM 81

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
Low
app.js, line 144 (JavaScript Hijacking: Vulnerable Framework)

Sink: ajax(0)
Enclosing Method: lambda()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/app.js:144
Taint Flags: HTTP_GET
141 animate: true,
142 overlayColor: 'none'
143 });
144 $.ajax({
145 type: "GET",
146 cache: false,
147 url: url,

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/

Low
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Data Flow)

Source Details
Source: Read type
From: lambda
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/ap
p.min.js:1
1 var App=function(){var t,e=!1,o=!1,a=!1,i=!1,n=[],l="../../
assets/",s="global/img/",r="global/plugins/",c="global/
css/",d={blue:"#89C4F4",red:"#F3565D",green:"#1bbc9b",purple:"#9b59b6",grey:"#95a5a6",
{"rtl"===$("body").css("direction")&&(e=!0),o=!!navigator.userAgent.match(/
MSIE 8.0/),a=!!navigator.userAgent.match(/MSIE 9.0/),i=!!
navigator.userAgent.match(/MSIE 10.0/),i&&$("html").addClass("ie10"),(i||a||
o)&&$("html").addClass("ie")},p=function(){for(var t=0;t<n.length;t++){var
e=n[t];e.call()}},u=function(){var t;if(o){var e;$(window).resize(function()
{e!
=document.documentElement.clientHeight&&(t&&clearTimeout(t),t=setTimeout(function()
{p()},50),e=document.documentElement.clientHeight)})}else $
(window).resize(function(){t&&clearTimeout(t),t=setTimeout(function(){p()},
50)})},f=function(){$("body").on("click",".portlet > .portlet-title > .tools
> a.remove",function(t){t.preventDefault();var e=$(this).closest(".portlet");$
("body").hasClass("page-portlet-fullscreen")&&$("body").removeClass("page-
portlet-fullscreen"),e.find(".portlet-
title .fullscreen").tooltip("destroy"),e.find(".portlet-title > .tools
> .reload").tooltip("destroy"),e.find(".portlet-title > .tools
> .remove").tooltip("destroy"),e.find(".portlet-title > .tools
> .config").tooltip("destroy"),e.find(".portlet-title > .tools
> .collapse, .portlet > .portlet-title > .tools
> .expand").tooltip("destroy"),e.remove()}),$("body").on("click",".portlet

Oct 5, 2018, 5:40 PM 82

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

> .portlet-title .fullscreen",function(t){t.preventDefault();var e=$

(this).closest(".portlet");if(e.hasClass("portlet-fullscreen"))$
(this).removeClass("on"),e.removeClass("portlet-fullscreen"),$
("body").removeClass("page-portlet-fullscreen"),e.children(".portlet-
body").css("height","auto");else{var o=App.getViewPort().height-
e.children(".portlet-title").outerHeight()-parseInt(e.children(".portlet-
body").css("padding-top"))-parseInt(e.children(".portlet-body").css("padding-
bottom"));$(this).addClass("on"),e.addClass("portlet-fullscreen"),$
("body").addClass("page-portlet-fullscreen"),e.children(".portlet-
body").css("height",o)}}),$("body").on("click",".portlet > .portlet-title
> .tools > a.reload",function(t){t.preventDefault();var e=$
(this).closest(".portlet").children(".portlet-body"),o=$(this).attr("data-
url"),a=$(this).attr("data-error-display");o?(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),$.ajax({type:"GET",cache:!
1,url:o,dataType:"html",success:function(t)
{App.unblockUI(e),e.html(t),App.initAjax()},error:function(t,o,i)
{App.unblockUI(e);var n="Error on reloading the content. Please check your
connection and try again.";"toastr"==a&&toastr?toastr.error(n):"notific8"==a&&
$.notific8?($.notific8("zindex",11500),$.notific8(n,{theme:"ruby",life:
3e3})):alert(n)}})):(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),window.setTimeout(function(){App.unblockUI(e)},
1e3))}),$('.portlet .portlet-title a.reload[data-load="true"]').click(),$
("body").on("click",".portlet > .portlet-title > .tools
> .collapse, .portlet .portlet-title > .tools > .expand",function(t)
{t.preventDefault();var e=$(this).closest(".portlet").children(".portlet-
body");$(this).hasClass("collapse")?($
(this).removeClass("collapse").addClass("expand"),e.slideUp(200)):($
(this).removeClass("expand").addClass("collapse"),e.slideDown(200))})},b=function()
{if($().uniform){var t=$("input[type=checkbox]:not(.toggle, .md-check, .md-
radiobtn, .make-switch, .icheck), input[type=radio]:not(.toggle, .md-
check, .md-radiobtn, .star, .make-
switch, .icheck)");t.size()>0&&t.each(function(){0===$
(this).parents(".checker").size()&&($(this).show(),$
(this).uniform())})}},g=function(){if($("body").on("click",".md-checkbox >
label, .md-radio > label",function(){var t=$(this),e=$
(this).children("span:first-child");e.addClass("inc");var o=e.clone(!
0);e.before(o),$("."+e.attr("class")+":last",t).remove()}),$
("body").hasClass("page-md")){var t,e,o,a,i;$("body").on("click","a.btn,
button.btn, input.btn, label.btn",function(n){t=$(this),0==t.find(".md-click-
circle").length&&t.prepend("<span class='md-click-circle'></
span>"),e=t.find(".md-click-circle"),e.removeClass("md-click-
animate"),e.height()||e.width()||
(o=Math.max(t.outerWidth(),t.outerHeight()),e.css({height:o,width:o})),a=n.pageX-
t.offset().left-e.width()/2,i=n.pageY-t.offset().top-e.height()/2,e.css({top:i
+"px",left:a+"px"}).addClass("md-click-animate"),setTimeout(function()
{e.remove()},1e3)})}var n=function(t){""!=t.val()?
t.addClass("edited"):t.removeClass("edited")};$("body").on("keydown",".form-
md-floating-label .form-control",function(t){n($(this))}),$

Oct 5, 2018, 5:40 PM 83

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

("body").on("blur",".form-md-floating-label .form-control",function(t){n($
(this))}),$(".form-md-floating-label .form-control").each(function(){$
(this).val().length>0&&$(this).addClass("edited")})},m=function(){$().iCheck&&
$(".icheck").each(function(){var t=$(this).attr("data-checkbox")?$
(this).attr("data-checkbox"):"icheckbox_minimal-grey",e=$(this).attr("data-
radio")?$(this).attr("data-radio"):"iradio_minimal-
grey";t.indexOf("_line")>-1||e.indexOf("_line")>-1?$
(this).iCheck({checkboxClass:t,radioClass:e,insert:'<div class="icheck_line-
icon"></div>'+$(this).attr("data-label")}):$
(this).iCheck({checkboxClass:t,radioClass:e})})},v=function(){$
().bootstrapSwitch&&$(".make-switch").bootstrapSwitch()},y=function(){$
().confirmation&&$("[data-
toggle=confirmation]").confirmation({container:"body",btnOkClass:"btn btn-sm
btn-success",btnCancelClass:"btn btn-sm btn-danger"})},C=function(){$
("body").on("shown.bs.collapse",".accordion.scrollable",function(t)
{App.scrollTo($(t.target))})},k=function(){if(location.hash){var
t=encodeURI(location.hash.substr(1));$('a[href="#'+t+'"]').parents(".tab-
pane:hidden").each(function(){var t=$(this).attr("id");$('a[href="#'+t
+'"]').click()}),$('a[href="#'+t+'"]').click()}$().tabdrop&&$(".tabbable-
tabdrop .nav-pills, .tabbable-tabdrop .nav-tabs").tabdrop({text:'<i class="fa
fa-ellipsis-v"></i> <i class="fa fa-angle-down"></i>'})},x=function(){$
("body").on("hide.bs.modal",function(){$(".modal:visible").size()>1&&$
("html").hasClass("modal-open")===!1?$("html").addClass("modal-open"):$
(".modal:visible").size()<=1&&$("html").removeClass("modal-open")}),$
("body").on("show.bs.modal",".modal",function(){$(this).hasClass("modal-
scroll")&&$("body").addClass("modal-open-noscroll")}),$
("body").on("hide.bs.modal",".modal",function(){$("body").removeClass("modal-
open-noscroll")}),$("body").on("hidden.bs.modal",".modal:not(.modal-
cached)",function(){$(this).removeData("bs.modal")})},w=function(){$
(".tooltips").tooltip(),$(".portlet > .portlet-
title .fullscreen").tooltip({container:"body",title:"Fullscreen"}),$
(".portlet > .portlet-title > .tools
> .reload").tooltip({container:"body",title:"Reload"}),$(".portlet > .portlet-
title > .tools > .remove").tooltip({container:"body",title:"Remove"}),$
(".portlet > .portlet-title > .tools
> .config").tooltip({container:"body",title:"Settings"}),$(".portlet
> .portlet-title > .tools > .collapse, .portlet > .portlet-title > .tools
> .expand").tooltip({container:"body",title:"Collapse/Expand"})},I=function()
{$("body").on("click",".dropdown-menu.hold-on-click",function(t)
{t.stopPropagation()})},z=function(){$("body").on("click",'[data-
close="alert"]',function(t){$(this).parent(".alert").hide(),$
(this).closest(".note").hide(),t.preventDefault()}),$
("body").on("click",'[data-close="note"]',function(t){$
(this).closest(".note").hide(),t.preventDefault()}),$
("body").on("click",'[data-remove="note"]',function(t){$
(this).closest(".note").remove(),t.preventDefault()})},A=function(){$('[data-
hover="dropdown"]').not(".hover-initialized").each(function(){$
(this).dropdownHover(),$(this).addClass("hover-initialized")})},S=function()

Oct 5, 2018, 5:40 PM 84

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

{"function"==typeof
autosize&&autosize(document.querySelector("textarea.autosizeme"))},P=function()
{$(".popovers").popover(),$(document).on("click.bs.popover.data-
api",function(e){t&&t.popover("hide")})},T=function()
{App.initSlimScroll(".scroller")},U=function(){jQuery.fancybox&&$(".fancybox-
button").size()>0&&$(".fancybox-button").fancybox({groupAttr:"data-
rel",prevEffect:"none",nextEffect:"none",closeBtn:!0,helpers:{title:
{type:"inside"}}})},D=function(){$().counterUp&&$("[data-
counter='counterup']").counterUp({delay:10,time:1e3})},E=function(){(o||a)&&$
("input[placeholder]:not(.placeholder-no-fix),
textarea[placeholder]:not(.placeholder-no-fix)").each(function(){var t=$
(this);""===t.val()&&""!
==t.attr("placeholder")&&t.addClass("placeholder").val(t.attr("placeholder")),t.focus(
{t.val()==t.attr("placeholder")&&t.val("")}),t.blur(function(){(""===t.val()||
t.val()==t.attr("placeholder"))&&t.val(t.attr("placeholder"))})})},G=function()
{$().select2&&($.fn.select2.defaults.set("theme","bootstrap"),$
(".select2me").select2({placeholder:"Select",width:"auto",allowClear:!
0}))},H=function(){$("[data-auto-height]").each(function(){var t=$(this),e=$
("[data-height]",t),o=0,a=t.attr("data-mode"),i=parseInt(t.attr("data-
offset")?t.attr("data-offset"):0);e.each(function(){"height"==$
(this).attr("data-height")?$(this).css("height",""):$(this).css("min-
height","");var t="base-height"==a?$(this).outerHeight():$(this).outerHeight(!
0);t>o&&(o=t)}),o+=i,e.each(function(){"height"==$(this).attr("data-height")?$
(this).css("height",o):$(this).css("min-height",o)}),t.attr("data-related")&&$
(t.attr("data-related")).css("height",t.height())})};return{init:function()
{h(),u(),g(),b(),m(),v(),T(),U(),G(),f(),z(),I(),k(),w(),P(),C(),x(),y(),S(),D(),this.
{b(),m(),v(),A(),T(),G(),U(),I(),w(),P(),C(),y()},initComponents:function()
{this.initAjax()},setLastPopedPopover:function(e)
{t=e},addResizeHandler:function(t){n.push(t)},runResizeHandlers:function()
{p()},scrollTo:function(t,e){var o=t&&t.size()>0?t.offset().top:0;t&&($
("body").hasClass("page-header-fixed")?o-=$(".page-header").height():$
("body").hasClass("page-header-top-fixed")?o-=$(".page-header-top").height():$
("body").hasClass("page-header-menu-fixed")&&(o-=$(".page-header-
menu").height()),o+=e?e:-1*t.height()),$
("html,body").animate({scrollTop:o},"slow")},initSlimScroll:function(t){$
(t).each(function(){if(!$(this).attr("data-initialized")){var t;t=$
(this).attr("data-height")?$(this).attr("data-height"):$(this).css("height"),$
(this).slimScroll({allowPageScroll:!0,size:"7px",color:$(this).attr("data-
handle-color")?$(this).attr("data-handle-color"):"#bbb",wrapperClass:$
(this).attr("data-wrapper-class")?$(this).attr("data-wrapper-
class"):"slimScrollDiv",railColor:$(this).attr("data-rail-color")?$
(this).attr("data-rail-
color"):"#eaeaea",position:e?"left":"right",height:t,alwaysVisible:"1"==$
(this).attr("data-always-visible")?!0:!1,railVisible:"1"==$(this).attr("data-
rail-visible")?!0:!1,disableFadeOut:!0}),$(this).attr("data-
initialized","1")}})},destroySlimScroll:function(t){$(t).each(function()
{if("1"===$(this).attr("data-initialized")){$(this).removeAttr("data-
initialized"),$(this).removeAttr("style");var t={};$(this).attr("data-handle-

Oct 5, 2018, 5:40 PM 85

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

color")&&(t["data-handle-color"]=$(this).attr("data-handle-color")),$
(this).attr("data-wrapper-class")&&(t["data-wrapper-class"]=$
(this).attr("data-wrapper-class")),$(this).attr("data-rail-color")&&(t["data-
rail-color"]=$(this).attr("data-rail-color")),$(this).attr("data-always-
visible")&&(t["data-always-visible"]=$(this).attr("data-always-visible")),$
(this).attr("data-rail-visible")&&(t["data-rail-visible"]=$(this).attr("data-
rail-visible")),$(this).slimScroll({wrapperClass:$(this).attr("data-wrapper-
class")?$(this).attr("data-wrapper-class"):"slimScrollDiv",destroy:!0});var e=
$(this);$.each(t,function(t,o){e.attr(t,o)})}})},scrollTop:function()
{App.scrollTo()},blockUI:function(t){t=$.extend(!0,{},t);var
e="";if(e=t.animate?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><div class="block-spinner-bar"><div class="bounce1"></div><div
class="bounce2"></div><div class="bounce3"></div></div></
div>':t.iconOnly?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><img src="'+this.getGlobalImgPath()+'loading-spinner-grey.gif"
align=""></div>':t.textOnly?'<div class="loading-message '+(t.boxed?"loading-
message-boxed":"")+'"><span>  '+(t.message?t.message:"LOADING...")
+"</span></div>":'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><img src="'+this.getGlobalImgPath()+'loading-spinner-grey.gif"
align=""><span>  '+(t.message?t.message:"LOADING...")+"</span></
div>",t.target){var o=$(t.target);o.height()<=$(window).height()&&(t.cenrerY=!
0),o.block({message:e,baseZ:t.zIndex?t.zIndex:1e3,centerY:void 0!==t.cenrerY?
t.cenrerY:!1,css:
{top:"10%",border:"0",padding:"0",backgroundColor:"none"},overlayCSS:
{backgroundColor:t.overlayColor?t.overlayColor:"#555",opacity:t.boxed?.
05:.1,cursor:"wait"}})}else $.blockUI({message:e,baseZ:t.zIndex?t.zIndex:
1e3,css:{border:"0",padding:"0",backgroundColor:"none"},overlayCSS:
{backgroundColor:t.overlayColor?t.overlayColor:"#555",opacity:t.boxed?.
05:.1,cursor:"wait"}})},unblockUI:function(t){t?$
(t).unblock({onUnblock:function(){$(t).css("position",""),$
(t).css("zoom","")}}):$.unblockUI()},startPageLoading:function(t)
{t&&t.animate?($(".page-spinner-bar").remove(),$("body").append('<div
class="page-spinner-bar"><div class="bounce1"></div><div class="bounce2"></
div><div class="bounce3"></div></div>')):($(".page-loading").remove(),$
("body").append('<div class="page-loading"><img src="'+this.getGlobalImgPath()
+'loading-spinner-grey.gif"/>  <span>'+(t&&t.message?
t.message:"Loading...")+"</span></div>"))},stopPageLoading:function(){$
(".page-loading, .page-spinner-bar").remove()},alert:function(t){t=$.extend(!
0,{container:"",place:"append",type:"success",message:"",close:!0,reset:!
0,focus:!0,closeInSeconds:0,icon:""},t);var
e=App.getUniqueID("App_alert"),o='<div id="'+e+'" class="custom-alerts alert
alert-'+t.type+' fade in">'+(t.close?'<button type="button" class="close"
data-dismiss="alert" aria-hidden="true"></button>':"")+(""!==t.icon?'<i
class="fa-lg fa fa-'+t.icon+'"></i> ':"")+t.message+"</div>";return t.reset&&$
(".custom-alerts").remove(),t.container?"append"==t.place?$
(t.container).append(o):$(t.container).prepend(o):1===$(".page-fixed-main-
content").size()?$(".page-fixed-main-content").prepend(o):($
("body").hasClass("page-container-bg-solid")||$("body").hasClass("page-

Oct 5, 2018, 5:40 PM 86

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

content-white"))&&0===$(".page-head").size()?$(".page-title").after(o):$
(".page-bar").size()>0?$(".page-bar").after(o):$(".page-
breadcrumb, .breadcrumbs").after(o),t.focus&&App.scrollTo($
("#"+e)),t.closeInSeconds>0&&setTimeout(function(){$("#"+e).remove()},
1e3*t.closeInSeconds),e},initUniform:function(t){t?$(t).each(function(){0===$
(this).parents(".checker").size()&&($(this).show(),$
(this).uniform())}):b()},updateUniform:function(t)
{$.uniform.update(t)},initFancybox:function(){U()},getActualVal:function(t)
{return t=$
(t),t.val()===t.attr("placeholder")?"":t.val()},getURLParameter:function(t)
{var
e,o,a=window.location.search.substring(1),i=a.split("&");for(e=0;e<i.length;e+
+)if(o=i[e].split("="),o[0]==t)return unescape(o[1]);return
null},isTouchDevice:function(){try{return document.createEvent("TouchEvent"),!
0}catch(t){return!1}},getViewPort:function(){var
t=window,e="inner";return"innerWidth"in window||
(e="client",t=document.documentElement||document.body),{width:t[e
+"Width"],height:t[e+"Height"]}},getUniqueID:function(t)
{return"prefix_"+Math.floor(Math.random()*(new
Date).getTime())},isIE8:function(){return o},isIE9:function(){return
a},isRTL:function(){return e},isAngularJsApp:function()
{return"undefined"==typeof angular?!1:!0},getAssetsPath:function(){return
l},setAssetsPath:function(t){l=t},setGlobalImgPath:function(t)
{s=t},getGlobalImgPath:function(){return l+s},setGlobalPluginsPath:function(t)
{r=t},getGlobalPluginsPath:function(){return l+r},getGlobalCssPath:function()
{return l+c},getBrandColor:function(t){return d[t]?
d[t]:""},getResponsiveBreakpoint:function(t){var e={xs:480,sm:768,md:992,lg:
1200};return e[t]?e[t]:0}}}();jQuery(document).ready(function(){App.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined

Sink Details
Sink: ajax(0)
Enclosing Method: lambda()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/app.min.js:1
Taint Flags: HTTP_GET
1 var App=function(){var t,e=!1,o=!1,a=!1,i=!1,n=[],l="../../assets/",s="global/
img/",r="global/plugins/",c="global/
css/",d={blue:"#89C4F4",red:"#F3565D",green:"#1bbc9b",purple:"#9b59b6",grey:"#95a5a6",yellow:"#F8CB00"},h
{"rtl"===$("body").css("direction")&&(e=!0),o=!!navigator.userAgent.match(/MSIE 8.0/),a=!!
navigator.userAgent.match(/MSIE 9.0/),i=!!navigator.userAgent.match(/MSIE 10.0/),i&&$
("html").addClass("ie10"),(i||a||o)&&$("html").addClass("ie")},p=function(){for(var

Oct 5, 2018, 5:40 PM 87

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

t=0;t<n.length;t++){var e=n[t];e.call()}},u=function(){var t;if(o){var e;$

(window).resize(function(){e!
=document.documentElement.clientHeight&&(t&&clearTimeout(t),t=setTimeout(function(){p()},
50),e=document.documentElement.clientHeight)})}else $(window).resize(function()
{t&&clearTimeout(t),t=setTimeout(function(){p()},50)})},f=function(){$
("body").on("click",".portlet > .portlet-title > .tools > a.remove",function(t)
{t.preventDefault();var e=$(this).closest(".portlet");$("body").hasClass("page-portlet-
fullscreen")&&$("body").removeClass("page-portlet-fullscreen"),e.find(".portlet-
title .fullscreen").tooltip("destroy"),e.find(".portlet-title > .tools
> .reload").tooltip("destroy"),e.find(".portlet-title > .tools
> .remove").tooltip("destroy"),e.find(".portlet-title > .tools
> .config").tooltip("destroy"),e.find(".portlet-title > .tools > .collapse, .portlet
> .portlet-title > .tools > .expand").tooltip("destroy"),e.remove()}),$
("body").on("click",".portlet > .portlet-title .fullscreen",function(t){t.preventDefault();var
e=$(this).closest(".portlet");if(e.hasClass("portlet-fullscreen"))$
(this).removeClass("on"),e.removeClass("portlet-fullscreen"),$("body").removeClass("page-
portlet-fullscreen"),e.children(".portlet-body").css("height","auto");else{var
o=App.getViewPort().height-e.children(".portlet-title").outerHeight()-
parseInt(e.children(".portlet-body").css("padding-top"))-parseInt(e.children(".portlet-
body").css("padding-bottom"));$(this).addClass("on"),e.addClass("portlet-fullscreen"),$
("body").addClass("page-portlet-fullscreen"),e.children(".portlet-body").css("height",o)}}),$
("body").on("click",".portlet > .portlet-title > .tools > a.reload",function(t)
{t.preventDefault();var e=$(this).closest(".portlet").children(".portlet-body"),o=$
(this).attr("data-url"),a=$(this).attr("data-error-display");o?(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),$.ajax({type:"GET",cache:!1,url:o,dataType:"html",success:function(t)
{App.unblockUI(e),e.html(t),App.initAjax()},error:function(t,o,i){App.unblockUI(e);var
n="Error on reloading the content. Please check your connection and try
again.";"toastr"==a&&toastr?toastr.error(n):"notific8"==a&&$.notific8?($.notific8("zindex",
11500),$.notific8(n,{theme:"ruby",life:3e3})):alert(n)}})):(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),window.setTimeout(function(){App.unblockUI(e)},1e3))}),$
('.portlet .portlet-title a.reload[data-load="true"]').click(),$("body").on("click",".portlet
> .portlet-title > .tools > .collapse, .portlet .portlet-title > .tools > .expand",function(t)
{t.preventDefault();var e=$(this).closest(".portlet").children(".portlet-body");$
(this).hasClass("collapse")?($
(this).removeClass("collapse").addClass("expand"),e.slideUp(200)):($
(this).removeClass("expand").addClass("collapse"),e.slideDown(200))})},b=function(){if($
().uniform){var t=$("input[type=checkbox]:not(.toggle, .md-check, .md-radiobtn, .make-
switch, .icheck), input[type=radio]:not(.toggle, .md-check, .md-radiobtn, .star, .make-
switch, .icheck)");t.size()>0&&t.each(function(){0===$(this).parents(".checker").size()&&($
(this).show(),$(this).uniform())})}},g=function(){if($("body").on("click",".md-checkbox >
label, .md-radio > label",function(){var t=$(this),e=$(this).children("span:first-
child");e.addClass("inc");var o=e.clone(!0);e.before(o),$("."+e.attr("class")
+":last",t).remove()}),$("body").hasClass("page-md")){var t,e,o,a,i;$
("body").on("click","a.btn, button.btn, input.btn, label.btn",function(n){t=$(this),
0==t.find(".md-click-circle").length&&t.prepend("<span class='md-click-circle'></
span>"),e=t.find(".md-click-circle"),e.removeClass("md-click-animate"),e.height()||e.width()||
(o=Math.max(t.outerWidth(),t.outerHeight()),e.css({height:o,width:o})),a=n.pageX-
t.offset().left-e.width()/2,i=n.pageY-t.offset().top-e.height()/2,e.css({top:i+"px",left:a
+"px"}).addClass("md-click-animate"),setTimeout(function(){e.remove()},1e3)})}var n=function(t)
{""!=t.val()?t.addClass("edited"):t.removeClass("edited")};$("body").on("keydown",".form-md-
floating-label .form-control",function(t){n($(this))}),$("body").on("blur",".form-md-floating-
label .form-control",function(t){n($(this))}),$(".form-md-floating-label .form-
control").each(function(){$(this).val().length>0&&$(this).addClass("edited")})},m=function(){$
().iCheck&&$(".icheck").each(function(){var t=$(this).attr("data-checkbox")?$(this).attr("data-
checkbox"):"icheckbox_minimal-grey",e=$(this).attr("data-radio")?$(this).attr("data-
radio"):"iradio_minimal-grey";t.indexOf("_line")>-1||e.indexOf("_line")>-1?$
(this).iCheck({checkboxClass:t,radioClass:e,insert:'<div class="icheck_line-icon"></div>'+$
(this).attr("data-label")}):$(this).iCheck({checkboxClass:t,radioClass:e})})},v=function(){$
().bootstrapSwitch&&$(".make-switch").bootstrapSwitch()},y=function(){$().confirmation&&$

Oct 5, 2018, 5:40 PM 88

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

("[data-toggle=confirmation]").confirmation({container:"body",btnOkClass:"btn btn-sm btn-

success",btnCancelClass:"btn btn-sm btn-danger"})},C=function(){$
("body").on("shown.bs.collapse",".accordion.scrollable",function(t){App.scrollTo($
(t.target))})},k=function(){if(location.hash){var t=encodeURI(location.hash.substr(1));$
('a[href="#'+t+'"]').parents(".tab-pane:hidden").each(function(){var t=$(this).attr("id");$
('a[href="#'+t+'"]').click()}),$('a[href="#'+t+'"]').click()}$().tabdrop&&$(".tabbable-
tabdrop .nav-pills, .tabbable-tabdrop .nav-tabs").tabdrop({text:'<i class="fa fa-ellipsis-v"></
i> <i class="fa fa-angle-down"></i>'})},x=function(){$
("body").on("hide.bs.modal",function(){$(".modal:visible").size()>1&&$("html").hasClass("modal-
open")===!1?$("html").addClass("modal-open"):$(".modal:visible").size()<=1&&$
("html").removeClass("modal-open")}),$("body").on("show.bs.modal",".modal",function(){$
(this).hasClass("modal-scroll")&&$("body").addClass("modal-open-noscroll")}),$
("body").on("hide.bs.modal",".modal",function(){$("body").removeClass("modal-open-noscroll")}),
$("body").on("hidden.bs.modal",".modal:not(.modal-cached)",function(){$
(this).removeData("bs.modal")})},w=function(){$(".tooltips").tooltip(),$(".portlet > .portlet-
title .fullscreen").tooltip({container:"body",title:"Fullscreen"}),$(".portlet > .portlet-
title > .tools > .reload").tooltip({container:"body",title:"Reload"}),$(".portlet > .portlet-
title > .tools > .remove").tooltip({container:"body",title:"Remove"}),$(".portlet > .portlet-
title > .tools > .config").tooltip({container:"body",title:"Settings"}),$(".portlet > .portlet-
title > .tools > .collapse, .portlet > .portlet-title > .tools
> .expand").tooltip({container:"body",title:"Collapse/Expand"})},I=function(){$
("body").on("click",".dropdown-menu.hold-on-click",function(t)
{t.stopPropagation()})},z=function(){$("body").on("click",'[data-close="alert"]',function(t){$
(this).parent(".alert").hide(),$(this).closest(".note").hide(),t.preventDefault()}),$
("body").on("click",'[data-close="note"]',function(t){$
(this).closest(".note").hide(),t.preventDefault()}),$("body").on("click",'[data-
remove="note"]',function(t){$
(this).closest(".note").remove(),t.preventDefault()})},A=function(){$('[data-
hover="dropdown"]').not(".hover-initialized").each(function(){$(this).dropdownHover(),$
(this).addClass("hover-initialized")})},S=function(){"function"==typeof
autosize&&autosize(document.querySelector("textarea.autosizeme"))},P=function(){$
(".popovers").popover(),$(document).on("click.bs.popover.data-api",function(e)
{t&&t.popover("hide")})},T=function(){App.initSlimScroll(".scroller")},U=function()
{jQuery.fancybox&&$(".fancybox-button").size()>0&&$(".fancybox-
button").fancybox({groupAttr:"data-rel",prevEffect:"none",nextEffect:"none",closeBtn:!
0,helpers:{title:{type:"inside"}}})},D=function(){$().counterUp&&$("[data-
counter='counterup']").counterUp({delay:10,time:1e3})},E=function(){(o||a)&&$
("input[placeholder]:not(.placeholder-no-fix), textarea[placeholder]:not(.placeholder-no-
fix)").each(function(){var t=$(this);""===t.val()&&""!
==t.attr("placeholder")&&t.addClass("placeholder").val(t.attr("placeholder")),t.focus(function()
{t.val()==t.attr("placeholder")&&t.val("")}),t.blur(function(){(""===t.val()||
t.val()==t.attr("placeholder"))&&t.val(t.attr("placeholder"))})})},G=function(){$
().select2&&($.fn.select2.defaults.set("theme","bootstrap"),$
(".select2me").select2({placeholder:"Select",width:"auto",allowClear:!0}))},H=function(){$
("[data-auto-height]").each(function(){var t=$(this),e=$("[data-height]",t),o=0,a=t.attr("data-
mode"),i=parseInt(t.attr("data-offset")?t.attr("data-offset"):0);e.each(function(){"height"==$
(this).attr("data-height")?$(this).css("height",""):$(this).css("min-height","");var t="base-
height"==a?$(this).outerHeight():$(this).outerHeight(!0);t>o&&(o=t)}),o+=i,e.each(function()
{"height"==$(this).attr("data-height")?$(this).css("height",o):$(this).css("min-
height",o)}),t.attr("data-related")&&$(t.attr("data-
related")).css("height",t.height())})};return{init:function()
{h(),u(),g(),b(),m(),v(),T(),U(),G(),f(),z(),I(),k(),w(),P(),C(),x(),y(),S(),D(),this.addResizeHandler(H)
{b(),m(),v(),A(),T(),G(),U(),I(),w(),P(),C(),y()},initComponents:function()
{this.initAjax()},setLastPopedPopover:function(e){t=e},addResizeHandler:function(t)
{n.push(t)},runResizeHandlers:function(){p()},scrollTo:function(t,e){var o=t&&t.size()>0?
t.offset().top:0;t&&($("body").hasClass("page-header-fixed")?o-=$(".page-header").height():$
("body").hasClass("page-header-top-fixed")?o-=$(".page-header-top").height():$
("body").hasClass("page-header-menu-fixed")&&(o-=$(".page-header-menu").height()),o+=e?
e:-1*t.height()),$("html,body").animate({scrollTop:o},"slow")},initSlimScroll:function(t){$

Oct 5, 2018, 5:40 PM 89

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

(t).each(function(){if(!$(this).attr("data-initialized")){var t;t=$(this).attr("data-height")?$
(this).attr("data-height"):$(this).css("height"),$(this).slimScroll({allowPageScroll:!
0,size:"7px",color:$(this).attr("data-handle-color")?$(this).attr("data-handle-
color"):"#bbb",wrapperClass:$(this).attr("data-wrapper-class")?$(this).attr("data-wrapper-
class"):"slimScrollDiv",railColor:$(this).attr("data-rail-color")?$(this).attr("data-rail-
color"):"#eaeaea",position:e?"left":"right",height:t,alwaysVisible:"1"==$(this).attr("data-
always-visible")?!0:!1,railVisible:"1"==$(this).attr("data-rail-visible")?!0:!
1,disableFadeOut:!0}),$(this).attr("data-initialized","1")}})},destroySlimScroll:function(t){$
(t).each(function(){if("1"===$(this).attr("data-initialized")){$(this).removeAttr("data-
initialized"),$(this).removeAttr("style");var t={};$(this).attr("data-handle-color")&&(t["data-
handle-color"]=$(this).attr("data-handle-color")),$(this).attr("data-wrapper-class")&&(t["data-
wrapper-class"]=$(this).attr("data-wrapper-class")),$(this).attr("data-rail-color")&&(t["data-
rail-color"]=$(this).attr("data-rail-color")),$(this).attr("data-always-visible")&&(t["data-
always-visible"]=$(this).attr("data-always-visible")),$(this).attr("data-rail-
visible")&&(t["data-rail-visible"]=$(this).attr("data-rail-visible")),$
(this).slimScroll({wrapperClass:$(this).attr("data-wrapper-class")?$(this).attr("data-wrapper-
class"):"slimScrollDiv",destroy:!0});var e=$(this);$.each(t,function(t,o)
{e.attr(t,o)})}})},scrollTop:function(){App.scrollTo()},blockUI:function(t){t=$.extend(!0,
{},t);var e="";if(e=t.animate?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><div class="block-spinner-bar"><div class="bounce1"></div><div class="bounce2"></
div><div class="bounce3"></div></div></div>':t.iconOnly?'<div class="loading-message '+
(t.boxed?"loading-message-boxed":"")+'"><img src="'+this.getGlobalImgPath()+'loading-spinner-
grey.gif" align=""></div>':t.textOnly?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><span>  '+(t.message?t.message:"LOADING...")+"</span></div>":'<div
class="loading-message '+(t.boxed?"loading-message-boxed":"")+'"><img
src="'+this.getGlobalImgPath()+'loading-spinner-grey.gif" align=""><span>  '+
(t.message?t.message:"LOADING...")+"</span></div>",t.target){var o=$(t.target);o.height()<=$
(window).height()&&(t.cenrerY=!0),o.block({message:e,baseZ:t.zIndex?t.zIndex:1e3,centerY:void
0!==t.cenrerY?t.cenrerY:!1,css:
{top:"10%",border:"0",padding:"0",backgroundColor:"none"},overlayCSS:
{backgroundColor:t.overlayColor?t.overlayColor:"#555",opacity:t.boxed?.05:.1,cursor:"wait"}})}
else $.blockUI({message:e,baseZ:t.zIndex?t.zIndex:1e3,css:
{border:"0",padding:"0",backgroundColor:"none"},overlayCSS:{backgroundColor:t.overlayColor?
t.overlayColor:"#555",opacity:t.boxed?.05:.1,cursor:"wait"}})},unblockUI:function(t){t?$
(t).unblock({onUnblock:function(){$(t).css("position",""),$(t).css("zoom","")}}):
$.unblockUI()},startPageLoading:function(t){t&&t.animate?($(".page-spinner-bar").remove(),$
("body").append('<div class="page-spinner-bar"><div class="bounce1"></div><div
class="bounce2"></div><div class="bounce3"></div></div>')):($(".page-loading").remove(),$
("body").append('<div class="page-loading"><img src="'+this.getGlobalImgPath()+'loading-
spinner-grey.gif"/>  <span>'+(t&&t.message?t.message:"Loading...")+"</span></
div>"))},stopPageLoading:function(){$(".page-loading, .page-spinner-
bar").remove()},alert:function(t){t=$.extend(!0,
{container:"",place:"append",type:"success",message:"",close:!0,reset:!0,focus:!
0,closeInSeconds:0,icon:""},t);var e=App.getUniqueID("App_alert"),o='<div id="'+e+'"
class="custom-alerts alert alert-'+t.type+' fade in">'+(t.close?'<button type="button"
class="close" data-dismiss="alert" aria-hidden="true"></button>':"")+(""!==t.icon?'<i
class="fa-lg fa fa-'+t.icon+'"></i> ':"")+t.message+"</div>";return t.reset&&$(".custom-
alerts").remove(),t.container?"append"==t.place?$(t.container).append(o):$
(t.container).prepend(o):1===$(".page-fixed-main-content").size()?$(".page-fixed-main-
content").prepend(o):($("body").hasClass("page-container-bg-solid")||$("body").hasClass("page-
content-white"))&&0===$(".page-head").size()?$(".page-title").after(o):$(".page-bar").size()>0?
$(".page-bar").after(o):$(".page-breadcrumb, .breadcrumbs").after(o),t.focus&&App.scrollTo($
("#"+e)),t.closeInSeconds>0&&setTimeout(function(){$("#"+e).remove()},
1e3*t.closeInSeconds),e},initUniform:function(t){t?$(t).each(function(){0===$
(this).parents(".checker").size()&&($(this).show(),$
(this).uniform())}):b()},updateUniform:function(t){$.uniform.update(t)},initFancybox:function()
{U()},getActualVal:function(t){return t=$
(t),t.val()===t.attr("placeholder")?"":t.val()},getURLParameter:function(t){var
e,o,a=window.location.search.substring(1),i=a.split("&");for(e=0;e<i.length;e+

Oct 5, 2018, 5:40 PM 90

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

+)if(o=i[e].split("="),o[0]==t)return unescape(o[1]);return null},isTouchDevice:function()

{try{return document.createEvent("TouchEvent"),!0}catch(t){return!1}},getViewPort:function()
{var t=window,e="inner";return"innerWidth"in window||(e="client",t=document.documentElement||
document.body),{width:t[e+"Width"],height:t[e+"Height"]}},getUniqueID:function(t)
{return"prefix_"+Math.floor(Math.random()*(new Date).getTime())},isIE8:function(){return
o},isIE9:function(){return a},isRTL:function(){return e},isAngularJsApp:function()
{return"undefined"==typeof angular?!1:!0},getAssetsPath:function(){return
l},setAssetsPath:function(t){l=t},setGlobalImgPath:function(t){s=t},getGlobalImgPath:function()
{return l+s},setGlobalPluginsPath:function(t){r=t},getGlobalPluginsPath:function(){return l
+r},getGlobalCssPath:function(){return l+c},getBrandColor:function(t){return d[t]?
d[t]:""},getResponsiveBreakpoint:function(t){var e={xs:480,sm:768,md:992,lg:1200};return e[t]?
e[t]:0}}}();jQuery(document).ready(function(){App.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
Low
scripts/layout.js, line 231 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Data Flow)

Source Details
Source: Read type
From: lambda
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/s
cripts/layout.js:232
229 var the = $(this);
230
231 $.ajax({
232 type: "GET",
233 cache: false,
234 url: url,
235 dataType: "html",

Sink Details
Sink: ajax(0)
Enclosing Method: lambda()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/scripts/layout.js:231
Taint Flags: HTTP_GET

Oct 5, 2018, 5:40 PM 91

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
Low
scripts/layout.js, line 231 (JavaScript Hijacking: Vulnerable Framework)
228
229 var the = $(this);
230
231 $.ajax({
232 type: "GET",
233 cache: false,
234 url: url,

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/

Low
scripts/layout.js, line 269 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Data Flow)

Source Details
Source: Read type
From: lambda
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/s
cripts/layout.js:270
267 }
268
269 $.ajax({
270 type: "GET",
271 cache: false,
272 url: url,
273 dataType: "html",

Sink Details
Sink: ajax(0)
Enclosing Method: lambda()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/scripts/layout.js:269
Taint Flags: HTTP_GET
266 $('.page-header .responsive-toggler').click();
267 }
268
269 $.ajax({
270 type: "GET",
271 cache: false,
272 url: url,

Oct 5, 2018, 5:40 PM 92

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
Low
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Data Flow)

Source Details
Source: Read type
From: lambda
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/s
cripts/layout.min.js:1
1 var Layout=function(){var e="layouts/layout4/img/",a="layouts/layout4/
css/",s=App.getResponsiveBreakpoint("md"),i=function(){var e,a=$(".page-
content"),i=$(".page-sidebar"),t=$("body");if(t.hasClass("page-footer-
fixed")===!0&&t.hasClass("page-sidebar-fixed")===!1){var
o=App.getViewPort().height-$(".page-footer").outerHeight(!0)-$(".page-
header").outerHeight(!0);a.height()<o&&a.attr("style","min-height:"+o+"px")}
else{if(t.hasClass("page-sidebar-fixed"))e=n()-10,t.hasClass("page-footer-
fixed")===!1&&(e-=$(".page-footer").outerHeight(!0));else{var r=$(".page-
header").outerHeight(!0),p=$(".page-footer").outerHeight(!
0);e=App.getViewPort().width<s?App.getViewPort().height-r-p:i.height()-10,e+r
+p<=App.getViewPort().height&&(e=App.getViewPort().height-r-p-45)}
a.attr("style","min-height:"+e+"px")}},t=function(e,a){var
i=location.hash.toLowerCase(),t=$(".page-sidebar-
menu");if("click"===e||"set"===e?a=$(a):"match"===e&&t.find("li >
a").each(function(){var e=$(this).attr("href").toLowerCase();return
e.length>1&&i.substr(1,e.length-1)==e.substr(1)?void(a=$(this)):void 0}),a&&0!
=a.size()&&"javascript:;"!==a.attr("href").toLowerCase()&&"#"!
==a.attr("href").toLowerCase()){parseInt(t.data("slide-speed")),t.data("keep-
expanded");t.hasClass("page-sidebar-menu-hover-submenu")===!1?t.find("li.nav-
item.open").each(function(){var e=!1;$(this).find("li").each(function()
{return $(this).find(" > a").attr("href")===a.attr("href")?void(e=!0):void
0}),e!==!0&&($(this).removeClass("open"),$(this).find("> a
> .arrow.open").removeClass("open"),$(this).find("> .sub-
menu").slideUp())}):t.find("li.open").removeClass("open"),t.find("li.active").removeCl
> a > .selected").remove(),a.parents("li").each(function(){$
(this).addClass("active"),$(this).find("> a > span.arrow").addClass("open"),
1===$(this).parent("ul.page-sidebar-menu").size()&&$(this).find(">
a").append('<span class="selected"></span>'),1===$(this).children("ul.sub-
menu").size()&&$
(this).addClass("open")}),"click"===e&&App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-
toggler").click()}},o=function(){$(".page-sidebar").on("click","li >
a",function(e){if(!(App.getViewPort().width>=s&&1===$(this).parents(".page-
sidebar-menu-hover-submenu").size())){if($(this).next().hasClass("sub-
menu")===!1)return void(App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click());var
a=$(this).parent().parent(),t=$(this),o=$(".page-sidebar-menu"),n=$
(this).next(),r=o.data("auto-scroll"),p=parseInt(o.data("slide-

Oct 5, 2018, 5:40 PM 93

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

speed")),d=o.data("keep-expanded");d!==!
0&&(a.children("li.open").children("a").children(".arrow").removeClass("open"),a.child
menu:not(.always-
open)").slideUp(p),a.children("li.open").removeClass("open"));var
l=-200;n.is(":visible")?($(".arrow",$(this)).removeClass("open"),$
(this).parent().removeClass("open"),n.slideUp(p,function(){r===!0&&$
("body").hasClass("page-sidebar-closed")===!1&&($("body").hasClass("page-
sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})):($
(".arrow",$(this)).addClass("open"),$
(this).parent().addClass("open"),n.slideDown(p,function(){r===!0&&$
("body").hasClass("page-sidebar-closed")===!1&&($("body").hasClass("page-
sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})),e.preventDefault()
$(".page-sidebar-menu li > a").on("click",function(e)
{App.getViewPort().width<s&&$(this).next().hasClass("sub-menu")===!1&&$
(".page-header .responsive-toggler").click()}),$(".page-
sidebar").on("click"," li > a.ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=$(".page-
sidebar ul"),t=($(".page-content"),$(".page-content .page-content-
body"));i.children("li.active").removeClass("active"),i.children("arrow.open").removeC
$(this).parents("li").each(function(){$(this).addClass("active"),$
(this).children("a > span.arrow").addClass("open")}),$
(this).parents("li").addClass("active"),App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-
toggler").click(),App.startPageLoading();var o=$(this);
$.ajax({type:"GET",cache:!1,url:a,dataType:"html",success:function(e)
{0===o.parents("li.open").size()&&$(".page-sidebar-menu > li.open >
a").click(),App.stopPageLoading(),t.html(e),Layout.fixContentHeight(),App.initAjax()},
{App.stopPageLoading(),t.html("<h4>Could not load the requested content.</
h4>")}})}),$(".page-content").on("click",".ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=($(".page-
content"),$(".page-content .page-content-
body"));App.startPageLoading(),App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click(),
$.ajax({type:"GET",cache:!1,url:a,dataType:"html",success:function(e)
{App.stopPageLoading(),i.html(e),Layout.fixContentHeight(),App.initAjax()},error:funct
{i.html("<h4>Could not load the requested content.</
h4>"),App.stopPageLoading()}})}),$(document).on("click",".page-header-fixed-
mobile .responsive-toggler",function(){App.scrollTop()})},n=function(){var
e=App.getViewPort().height-$(".page-header").outerHeight(!0)-40;return $
("body").hasClass("page-footer-fixed")&&(e-=$(".page-
footer").outerHeight()),e},r=function(){var e=$(".page-sidebar-menu");return
App.destroySlimScroll(e),0===$(".page-sidebar-fixed").size()?void
i():void(App.getViewPort().width>=s&&(e.attr("data-
height",n()),App.initSlimScroll(e),i()))},p=function(){var e=$
("body");e.hasClass("page-sidebar-fixed")&&$(".page-
sidebar").on("mouseenter",function(){e.hasClass("page-sidebar-closed")&&$

Oct 5, 2018, 5:40 PM 94

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

(this).find(".page-sidebar-menu").removeClass("page-sidebar-menu-
closed")}).on("mouseleave",function(){e.hasClass("page-sidebar-closed")&&$
(this).find(".page-sidebar-menu").addClass("page-sidebar-menu-
closed")})},d=function(){var e=$("body");$.cookie&&"1"===
$.cookie("sidebar_closed")&&App.getViewPort().width>=s&&($
("body").addClass("page-sidebar-closed"),$(".page-sidebar-
menu").addClass("page-sidebar-menu-closed")),$("body").on("click",".sidebar-
toggler",function(a){var s=$(".page-sidebar"),i=$(".page-sidebar-menu");$
(".sidebar-search",s).removeClass("open"),e.hasClass("page-sidebar-closed")?
(e.removeClass("page-sidebar-closed"),i.removeClass("page-sidebar-menu-
closed"),$.cookie&&$.cookie("sidebar_closed","0")):(e.addClass("page-sidebar-
closed"),i.addClass("page-sidebar-menu-closed"),e.hasClass("page-sidebar-
fixed")&&i.trigger("mouseleave"),$.cookie&&$.cookie("sidebar_closed","1")),$
(window).trigger("resize")}),p(),$(".page-sidebar").on("click",".sidebar-
search .remove",function(e){e.preventDefault(),$(".sidebar-
search").removeClass("open")}),$(".page-sidebar .sidebar-
search").on("keypress","input.form-control",function(e){return 13==e.which?($
(".sidebar-search").submit(),!1):void 0}),$(".sidebar-
search .submit").on("click",function(e){e.preventDefault(),$
("body").hasClass("page-sidebar-closed")&&$(".sidebar-
search").hasClass("open")===!1?(1===$(".page-sidebar-fixed").size()&&$(".page-
sidebar .sidebar-toggler").click(),$(".sidebar-search").addClass("open")):$
(".sidebar-search").submit()}),0!==$(".sidebar-search").size()&&($(".sidebar-
search .input-group").on("click",function(e){e.stopPropagation()}),$
("body").on("click",function(){$(".sidebar-search").hasClass("open")&&$
(".sidebar-search").removeClass("open")}))},l=function(){$(".page-
header").on("click",".search-form",function(e){$(this).addClass("open"),$
(this).find(".form-control").focus(),$(".page-header .search-form .form-
control").on("blur",function(e){$(this).closest(".search-
form").removeClass("open"),$(this).unbind("blur")})}),$(".page-
header").on("keypress",".hor-menu .search-form .form-control",function(e)
{return 13==e.which?($(this).closest(".search-form").submit(),!1):void 0}),$
(".page-header").on("mousedown",".search-form.open .submit",function(e)
{e.preventDefault(),e.stopPropagation(),$(this).closest(".search-
form").submit()})},c=function(){var e=300,a=500;navigator.userAgent.match(/
iPhone|iPad|iPod/i)?$(window).bind("touchend touchcancel
touchleave",function(s){$(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$
(".scroll-to-top").fadeOut(a)}):$(window).scroll(function(){$
(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$(".scroll-to-
top").fadeOut(a)}),$(".scroll-to-top").click(function(e){return
e.preventDefault(),$("html, body").animate({scrollTop:0},a),!
1})};return{initHeader:function(){l()},setSidebarMenuActiveLink:function(e,a)
{t(e,a)},initSidebar:function()
{r(),o(),d(),App.isAngularJsApp()&&t("match"),App.addResizeHandler(r)},initContent:fun
{},initFooter:function(){c()},init:function()
{this.initHeader(),this.initSidebar(),this.initContent(),this.initFooter()},fixContent
{},initFixedSidebarHoverEffect:function(){p()},initFixedSidebar:function()
{r()},getLayoutImgPath:function(){return App.getAssetsPath()

Oct 5, 2018, 5:40 PM 95

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

+e},getLayoutCssPath:function(){return App.getAssetsPath()+a}}}
();App.isAngularJsApp()===!1&&jQuery(document).ready(function()
{Layout.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined

Sink Details
Sink: ajax(0)
Enclosing Method: lambda()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/scripts/layout.min.js:1
Taint Flags: HTTP_GET
1 var Layout=function(){var e="layouts/layout4/img/",a="layouts/layout4/
css/",s=App.getResponsiveBreakpoint("md"),i=function(){var e,a=$(".page-content"),i=$(".page-
sidebar"),t=$("body");if(t.hasClass("page-footer-fixed")===!0&&t.hasClass("page-sidebar-
fixed")===!1){var o=App.getViewPort().height-$(".page-footer").outerHeight(!0)-$(".page-
header").outerHeight(!0);a.height()<o&&a.attr("style","min-height:"+o+"px")}
else{if(t.hasClass("page-sidebar-fixed"))e=n()-10,t.hasClass("page-footer-fixed")===!1&&(e-=$
(".page-footer").outerHeight(!0));else{var r=$(".page-header").outerHeight(!0),p=$(".page-
footer").outerHeight(!0);e=App.getViewPort().width<s?App.getViewPort().height-r-
p:i.height()-10,e+r+p<=App.getViewPort().height&&(e=App.getViewPort().height-r-p-45)}
a.attr("style","min-height:"+e+"px")}},t=function(e,a){var i=location.hash.toLowerCase(),t=$
(".page-sidebar-menu");if("click"===e||"set"===e?a=$(a):"match"===e&&t.find("li >
a").each(function(){var e=$(this).attr("href").toLowerCase();return
e.length>1&&i.substr(1,e.length-1)==e.substr(1)?void(a=$(this)):void 0}),a&&0!
=a.size()&&"javascript:;"!==a.attr("href").toLowerCase()&&"#"!==a.attr("href").toLowerCase())
{parseInt(t.data("slide-speed")),t.data("keep-expanded");t.hasClass("page-sidebar-menu-hover-
submenu")===!1?t.find("li.nav-item.open").each(function(){var e=!1;$
(this).find("li").each(function(){return $(this).find(" > a").attr("href")===a.attr("href")?
void(e=!0):void 0}),e!==!0&&($(this).removeClass("open"),$(this).find("> a
> .arrow.open").removeClass("open"),$(this).find("> .sub-
menu").slideUp())}):t.find("li.open").removeClass("open"),t.find("li.active").removeClass("active"),t.fin
> a > .selected").remove(),a.parents("li").each(function(){$(this).addClass("active"),$
(this).find("> a > span.arrow").addClass("open"),1===$(this).parent("ul.page-sidebar-
menu").size()&&$(this).find("> a").append('<span class="selected"></span>'),1===$
(this).children("ul.sub-menu").size()&&$
(this).addClass("open")}),"click"===e&&App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click()}},o=function(){$
(".page-sidebar").on("click","li > a",function(e){if(!(App.getViewPort().width>=s&&1===$
(this).parents(".page-sidebar-menu-hover-submenu").size())){if($(this).next().hasClass("sub-
menu")===!1)return void(App.getViewPort().width<s&&$(".page-sidebar").hasClass("in")&&$(".page-
header .responsive-toggler").click());var a=$(this).parent().parent(),t=$(this),o=$(".page-
sidebar-menu"),n=$(this).next(),r=o.data("auto-scroll"),p=parseInt(o.data("slide-
speed")),d=o.data("keep-expanded");d!==!
0&&(a.children("li.open").children("a").children(".arrow").removeClass("open"),a.children("li.open").chil
menu:not(.always-open)").slideUp(p),a.children("li.open").removeClass("open"));var
l=-200;n.is(":visible")?($(".arrow",$(this)).removeClass("open"),$
(this).parent().removeClass("open"),n.slideUp(p,function(){r===!0&&$("body").hasClass("page-
sidebar-closed")===!1&&($("body").hasClass("page-sidebar-fixed")?

Oct 5, 2018, 5:40 PM 96

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})):($(".arrow",$
(this)).addClass("open"),$(this).parent().addClass("open"),n.slideDown(p,function(){r===!0&&$
("body").hasClass("page-sidebar-closed")===!1&&($("body").hasClass("page-sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})),e.preventDefault()}}),App.isAngularJs
$(".page-sidebar-menu li > a").on("click",function(e){App.getViewPort().width<s&&$
(this).next().hasClass("sub-menu")===!1&&$(".page-header .responsive-toggler").click()}),$
(".page-sidebar").on("click"," li > a.ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=$(".page-sidebar ul"),t=($
(".page-content"),$(".page-content .page-content-
body"));i.children("li.active").removeClass("active"),i.children("arrow.open").removeClass("open"),
$(this).parents("li").each(function(){$(this).addClass("active"),$(this).children("a >
span.arrow").addClass("open")}),$
(this).parents("li").addClass("active"),App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-
toggler").click(),App.startPageLoading();var o=$(this);$.ajax({type:"GET",cache:!
1,url:a,dataType:"html",success:function(e){0===o.parents("li.open").size()&&$(".page-sidebar-
menu > li.open >
a").click(),App.stopPageLoading(),t.html(e),Layout.fixContentHeight(),App.initAjax()},error:function(e,a,
{App.stopPageLoading(),t.html("<h4>Could not load the requested content.</h4>")}})}),$(".page-
content").on("click",".ajaxify",function(e){e.preventDefault(),App.scrollTop();var a=$
(this).attr("href"),i=($(".page-content"),$(".page-content .page-content-
body"));App.startPageLoading(),App.getViewPort().width<s&&$(".page-sidebar").hasClass("in")&&$
(".page-header .responsive-toggler").click(),$.ajax({type:"GET",cache:!
1,url:a,dataType:"html",success:function(e)
{App.stopPageLoading(),i.html(e),Layout.fixContentHeight(),App.initAjax()},error:function(e,a,s)
{i.html("<h4>Could not load the requested content.</h4>"),App.stopPageLoading()}})}),$
(document).on("click",".page-header-fixed-mobile .responsive-toggler",function()
{App.scrollTop()})},n=function(){var e=App.getViewPort().height-$(".page-header").outerHeight(!
0)-40;return $("body").hasClass("page-footer-fixed")&&(e-=$(".page-
footer").outerHeight()),e},r=function(){var e=$(".page-sidebar-menu");return
App.destroySlimScroll(e),0===$(".page-sidebar-fixed").size()?void
i():void(App.getViewPort().width>=s&&(e.attr("data-
height",n()),App.initSlimScroll(e),i()))},p=function(){var e=$("body");e.hasClass("page-
sidebar-fixed")&&$(".page-sidebar").on("mouseenter",function(){e.hasClass("page-sidebar-
closed")&&$(this).find(".page-sidebar-menu").removeClass("page-sidebar-menu-
closed")}).on("mouseleave",function(){e.hasClass("page-sidebar-closed")&&$(this).find(".page-
sidebar-menu").addClass("page-sidebar-menu-closed")})},d=function(){var e=$("body");
$.cookie&&"1"===$.cookie("sidebar_closed")&&App.getViewPort().width>=s&&($
("body").addClass("page-sidebar-closed"),$(".page-sidebar-menu").addClass("page-sidebar-menu-
closed")),$("body").on("click",".sidebar-toggler",function(a){var s=$(".page-sidebar"),i=$
(".page-sidebar-menu");$(".sidebar-search",s).removeClass("open"),e.hasClass("page-sidebar-
closed")?(e.removeClass("page-sidebar-closed"),i.removeClass("page-sidebar-menu-closed"),
$.cookie&&$.cookie("sidebar_closed","0")):(e.addClass("page-sidebar-closed"),i.addClass("page-
sidebar-menu-closed"),e.hasClass("page-sidebar-fixed")&&i.trigger("mouseleave"),$.cookie&&
$.cookie("sidebar_closed","1")),$(window).trigger("resize")}),p(),$(".page-
sidebar").on("click",".sidebar-search .remove",function(e){e.preventDefault(),$(".sidebar-
search").removeClass("open")}),$(".page-sidebar .sidebar-search").on("keypress","input.form-
control",function(e){return 13==e.which?($(".sidebar-search").submit(),!1):void 0}),$
(".sidebar-search .submit").on("click",function(e){e.preventDefault(),$("body").hasClass("page-
sidebar-closed")&&$(".sidebar-search").hasClass("open")===!1?(1===$(".page-sidebar-
fixed").size()&&$(".page-sidebar .sidebar-toggler").click(),$(".sidebar-
search").addClass("open")):$(".sidebar-search").submit()}),0!==$(".sidebar-search").size()&&($
(".sidebar-search .input-group").on("click",function(e){e.stopPropagation()}),$
("body").on("click",function(){$(".sidebar-search").hasClass("open")&&$(".sidebar-
search").removeClass("open")}))},l=function(){$(".page-header").on("click",".search-
form",function(e){$(this).addClass("open"),$(this).find(".form-control").focus(),$(".page-
header .search-form .form-control").on("blur",function(e){$(this).closest(".search-
form").removeClass("open"),$(this).unbind("blur")})}),$(".page-header").on("keypress",".hor-
menu .search-form .form-control",function(e){return 13==e.which?($(this).closest(".search-

Oct 5, 2018, 5:40 PM 97

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

form").submit(),!1):void 0}),$(".page-header").on("mousedown",".search-
form.open .submit",function(e){e.preventDefault(),e.stopPropagation(),$(this).closest(".search-
form").submit()})},c=function(){var e=300,a=500;navigator.userAgent.match(/iPhone|iPad|iPod/i)?
$(window).bind("touchend touchcancel touchleave",function(s){$(this).scrollTop()>e?$(".scroll-
to-top").fadeIn(a):$(".scroll-to-top").fadeOut(a)}):$(window).scroll(function(){$
(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$(".scroll-to-top").fadeOut(a)}),$(".scroll-
to-top").click(function(e){return e.preventDefault(),$("html, body").animate({scrollTop:0},a),!
1})};return{initHeader:function(){l()},setSidebarMenuActiveLink:function(e,a)
{t(e,a)},initSidebar:function()
{r(),o(),d(),App.isAngularJsApp()&&t("match"),App.addResizeHandler(r)},initContent:function()
{},initFooter:function(){c()},init:function()
{this.initHeader(),this.initSidebar(),this.initContent(),this.initFooter()},fixContentHeight:function()
{},initFixedSidebarHoverEffect:function(){p()},initFixedSidebar:function()
{r()},getLayoutImgPath:function(){return App.getAssetsPath()+e},getLayoutCssPath:function()
{return App.getAssetsPath()+a}}}();App.isAngularJsApp()===!1&&jQuery(document).ready(function()
{Layout.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/

Low
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Data Flow)

Oct 5, 2018, 5:40 PM 98

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

a").each(function(){var e=$(this).attr("href").toLowerCase();return
e.length>1&&i.substr(1,e.length-1)==e.substr(1)?void(a=$(this)):void 0}),a&&0!
=a.size()&&"javascript:;"!==a.attr("href").toLowerCase()&&"#"!
==a.attr("href").toLowerCase()){parseInt(t.data("slide-speed")),t.data("keep-
expanded");t.hasClass("page-sidebar-menu-hover-submenu")===!1?t.find("li.nav-
item.open").each(function(){var e=!1;$(this).find("li").each(function()
{return $(this).find(" > a").attr("href")===a.attr("href")?void(e=!0):void
0}),e!==!0&&($(this).removeClass("open"),$(this).find("> a
> .arrow.open").removeClass("open"),$(this).find("> .sub-
menu").slideUp())}):t.find("li.open").removeClass("open"),t.find("li.active").removeCl
> a > .selected").remove(),a.parents("li").each(function(){$
(this).addClass("active"),$(this).find("> a > span.arrow").addClass("open"),
1===$(this).parent("ul.page-sidebar-menu").size()&&$(this).find(">
a").append('<span class="selected"></span>'),1===$(this).children("ul.sub-
menu").size()&&$
(this).addClass("open")}),"click"===e&&App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-
toggler").click()}},o=function(){$(".page-sidebar").on("click","li >
a",function(e){if(!(App.getViewPort().width>=s&&1===$(this).parents(".page-
sidebar-menu-hover-submenu").size())){if($(this).next().hasClass("sub-
menu")===!1)return void(App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click());var
a=$(this).parent().parent(),t=$(this),o=$(".page-sidebar-menu"),n=$
(this).next(),r=o.data("auto-scroll"),p=parseInt(o.data("slide-
speed")),d=o.data("keep-expanded");d!==!
0&&(a.children("li.open").children("a").children(".arrow").removeClass("open"),a.child
menu:not(.always-
open)").slideUp(p),a.children("li.open").removeClass("open"));var
l=-200;n.is(":visible")?($(".arrow",$(this)).removeClass("open"),$
(this).parent().removeClass("open"),n.slideUp(p,function(){r===!0&&$
("body").hasClass("page-sidebar-closed")===!1&&($("body").hasClass("page-
sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})):($
(".arrow",$(this)).addClass("open"),$
(this).parent().addClass("open"),n.slideDown(p,function(){r===!0&&$
("body").hasClass("page-sidebar-closed")===!1&&($("body").hasClass("page-
sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})),e.preventDefault()
$(".page-sidebar-menu li > a").on("click",function(e)
{App.getViewPort().width<s&&$(this).next().hasClass("sub-menu")===!1&&$
(".page-header .responsive-toggler").click()}),$(".page-
sidebar").on("click"," li > a.ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=$(".page-
sidebar ul"),t=($(".page-content"),$(".page-content .page-content-
body"));i.children("li.active").removeClass("active"),i.children("arrow.open").removeC
$(this).parents("li").each(function(){$(this).addClass("active"),$
(this).children("a > span.arrow").addClass("open")}),$
(this).parents("li").addClass("active"),App.getViewPort().width<s&&$(".page-

Oct 5, 2018, 5:40 PM 99

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

sidebar").hasClass("in")&&$(".page-header .responsive-
toggler").click(),App.startPageLoading();var o=$(this);
$.ajax({type:"GET",cache:!1,url:a,dataType:"html",success:function(e)
{0===o.parents("li.open").size()&&$(".page-sidebar-menu > li.open >
a").click(),App.stopPageLoading(),t.html(e),Layout.fixContentHeight(),App.initAjax()},
{App.stopPageLoading(),t.html("<h4>Could not load the requested content.</
h4>")}})}),$(".page-content").on("click",".ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=($(".page-
content"),$(".page-content .page-content-
body"));App.startPageLoading(),App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click(),
$.ajax({type:"GET",cache:!1,url:a,dataType:"html",success:function(e)
{App.stopPageLoading(),i.html(e),Layout.fixContentHeight(),App.initAjax()},error:funct
{i.html("<h4>Could not load the requested content.</
h4>"),App.stopPageLoading()}})}),$(document).on("click",".page-header-fixed-
mobile .responsive-toggler",function(){App.scrollTop()})},n=function(){var
e=App.getViewPort().height-$(".page-header").outerHeight(!0)-40;return $
("body").hasClass("page-footer-fixed")&&(e-=$(".page-
footer").outerHeight()),e},r=function(){var e=$(".page-sidebar-menu");return
App.destroySlimScroll(e),0===$(".page-sidebar-fixed").size()?void
i():void(App.getViewPort().width>=s&&(e.attr("data-
height",n()),App.initSlimScroll(e),i()))},p=function(){var e=$
("body");e.hasClass("page-sidebar-fixed")&&$(".page-
sidebar").on("mouseenter",function(){e.hasClass("page-sidebar-closed")&&$
(this).find(".page-sidebar-menu").removeClass("page-sidebar-menu-
closed")}).on("mouseleave",function(){e.hasClass("page-sidebar-closed")&&$
(this).find(".page-sidebar-menu").addClass("page-sidebar-menu-
closed")})},d=function(){var e=$("body");$.cookie&&"1"===
$.cookie("sidebar_closed")&&App.getViewPort().width>=s&&($
("body").addClass("page-sidebar-closed"),$(".page-sidebar-
menu").addClass("page-sidebar-menu-closed")),$("body").on("click",".sidebar-
toggler",function(a){var s=$(".page-sidebar"),i=$(".page-sidebar-menu");$
(".sidebar-search",s).removeClass("open"),e.hasClass("page-sidebar-closed")?
(e.removeClass("page-sidebar-closed"),i.removeClass("page-sidebar-menu-
closed"),$.cookie&&$.cookie("sidebar_closed","0")):(e.addClass("page-sidebar-
closed"),i.addClass("page-sidebar-menu-closed"),e.hasClass("page-sidebar-
fixed")&&i.trigger("mouseleave"),$.cookie&&$.cookie("sidebar_closed","1")),$
(window).trigger("resize")}),p(),$(".page-sidebar").on("click",".sidebar-
search .remove",function(e){e.preventDefault(),$(".sidebar-
search").removeClass("open")}),$(".page-sidebar .sidebar-
search").on("keypress","input.form-control",function(e){return 13==e.which?($
(".sidebar-search").submit(),!1):void 0}),$(".sidebar-
search .submit").on("click",function(e){e.preventDefault(),$
("body").hasClass("page-sidebar-closed")&&$(".sidebar-
search").hasClass("open")===!1?(1===$(".page-sidebar-fixed").size()&&$(".page-
sidebar .sidebar-toggler").click(),$(".sidebar-search").addClass("open")):$
(".sidebar-search").submit()}),0!==$(".sidebar-search").size()&&($(".sidebar-
search .input-group").on("click",function(e){e.stopPropagation()}),$

Oct 5, 2018, 5:40 PM 100

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

("body").on("click",function(){$(".sidebar-search").hasClass("open")&&$
(".sidebar-search").removeClass("open")}))},l=function(){$(".page-
header").on("click",".search-form",function(e){$(this).addClass("open"),$
(this).find(".form-control").focus(),$(".page-header .search-form .form-
control").on("blur",function(e){$(this).closest(".search-
form").removeClass("open"),$(this).unbind("blur")})}),$(".page-
header").on("keypress",".hor-menu .search-form .form-control",function(e)
{return 13==e.which?($(this).closest(".search-form").submit(),!1):void 0}),$
(".page-header").on("mousedown",".search-form.open .submit",function(e)
{e.preventDefault(),e.stopPropagation(),$(this).closest(".search-
form").submit()})},c=function(){var e=300,a=500;navigator.userAgent.match(/
iPhone|iPad|iPod/i)?$(window).bind("touchend touchcancel
touchleave",function(s){$(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$
(".scroll-to-top").fadeOut(a)}):$(window).scroll(function(){$
(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$(".scroll-to-
top").fadeOut(a)}),$(".scroll-to-top").click(function(e){return
e.preventDefault(),$("html, body").animate({scrollTop:0},a),!
1})};return{initHeader:function(){l()},setSidebarMenuActiveLink:function(e,a)
{t(e,a)},initSidebar:function()
{r(),o(),d(),App.isAngularJsApp()&&t("match"),App.addResizeHandler(r)},initContent:fun
{},initFooter:function(){c()},init:function()
{this.initHeader(),this.initSidebar(),this.initContent(),this.initFooter()},fixContent
{},initFixedSidebarHoverEffect:function(){p()},initFixedSidebar:function()
{r()},getLayoutImgPath:function(){return App.getAssetsPath()
+e},getLayoutCssPath:function(){return App.getAssetsPath()+a}}}
();App.isAngularJsApp()===!1&&jQuery(document).ready(function()
{Layout.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined

Oct 5, 2018, 5:40 PM 101

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

p:i.height()-10,e+r+p<=App.getViewPort().height&&(e=App.getViewPort().height-r-p-45)}
a.attr("style","min-height:"+e+"px")}},t=function(e,a){var i=location.hash.toLowerCase(),t=$
(".page-sidebar-menu");if("click"===e||"set"===e?a=$(a):"match"===e&&t.find("li >
a").each(function(){var e=$(this).attr("href").toLowerCase();return
e.length>1&&i.substr(1,e.length-1)==e.substr(1)?void(a=$(this)):void 0}),a&&0!
=a.size()&&"javascript:;"!==a.attr("href").toLowerCase()&&"#"!==a.attr("href").toLowerCase())
{parseInt(t.data("slide-speed")),t.data("keep-expanded");t.hasClass("page-sidebar-menu-hover-
submenu")===!1?t.find("li.nav-item.open").each(function(){var e=!1;$
(this).find("li").each(function(){return $(this).find(" > a").attr("href")===a.attr("href")?
void(e=!0):void 0}),e!==!0&&($(this).removeClass("open"),$(this).find("> a
> .arrow.open").removeClass("open"),$(this).find("> .sub-
menu").slideUp())}):t.find("li.open").removeClass("open"),t.find("li.active").removeClass("active"),t.fin
> a > .selected").remove(),a.parents("li").each(function(){$(this).addClass("active"),$
(this).find("> a > span.arrow").addClass("open"),1===$(this).parent("ul.page-sidebar-
menu").size()&&$(this).find("> a").append('<span class="selected"></span>'),1===$
(this).children("ul.sub-menu").size()&&$
(this).addClass("open")}),"click"===e&&App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click()}},o=function(){$
(".page-sidebar").on("click","li > a",function(e){if(!(App.getViewPort().width>=s&&1===$
(this).parents(".page-sidebar-menu-hover-submenu").size())){if($(this).next().hasClass("sub-
menu")===!1)return void(App.getViewPort().width<s&&$(".page-sidebar").hasClass("in")&&$(".page-
header .responsive-toggler").click());var a=$(this).parent().parent(),t=$(this),o=$(".page-
sidebar-menu"),n=$(this).next(),r=o.data("auto-scroll"),p=parseInt(o.data("slide-
speed")),d=o.data("keep-expanded");d!==!
0&&(a.children("li.open").children("a").children(".arrow").removeClass("open"),a.children("li.open").chil
menu:not(.always-open)").slideUp(p),a.children("li.open").removeClass("open"));var
l=-200;n.is(":visible")?($(".arrow",$(this)).removeClass("open"),$
(this).parent().removeClass("open"),n.slideUp(p,function(){r===!0&&$("body").hasClass("page-
sidebar-closed")===!1&&($("body").hasClass("page-sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})):($(".arrow",$
(this)).addClass("open"),$(this).parent().addClass("open"),n.slideDown(p,function(){r===!0&&$
("body").hasClass("page-sidebar-closed")===!1&&($("body").hasClass("page-sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})),e.preventDefault()}}),App.isAngularJs
$(".page-sidebar-menu li > a").on("click",function(e){App.getViewPort().width<s&&$
(this).next().hasClass("sub-menu")===!1&&$(".page-header .responsive-toggler").click()}),$
(".page-sidebar").on("click"," li > a.ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=$(".page-sidebar ul"),t=($
(".page-content"),$(".page-content .page-content-
body"));i.children("li.active").removeClass("active"),i.children("arrow.open").removeClass("open"),
$(this).parents("li").each(function(){$(this).addClass("active"),$(this).children("a >
span.arrow").addClass("open")}),$
(this).parents("li").addClass("active"),App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-
toggler").click(),App.startPageLoading();var o=$(this);$.ajax({type:"GET",cache:!
1,url:a,dataType:"html",success:function(e){0===o.parents("li.open").size()&&$(".page-sidebar-
menu > li.open >
a").click(),App.stopPageLoading(),t.html(e),Layout.fixContentHeight(),App.initAjax()},error:function(e,a,
{App.stopPageLoading(),t.html("<h4>Could not load the requested content.</h4>")}})}),$(".page-
content").on("click",".ajaxify",function(e){e.preventDefault(),App.scrollTop();var a=$
(this).attr("href"),i=($(".page-content"),$(".page-content .page-content-
body"));App.startPageLoading(),App.getViewPort().width<s&&$(".page-sidebar").hasClass("in")&&$
(".page-header .responsive-toggler").click(),$.ajax({type:"GET",cache:!
1,url:a,dataType:"html",success:function(e)
{App.stopPageLoading(),i.html(e),Layout.fixContentHeight(),App.initAjax()},error:function(e,a,s)
{i.html("<h4>Could not load the requested content.</h4>"),App.stopPageLoading()}})}),$
(document).on("click",".page-header-fixed-mobile .responsive-toggler",function()
{App.scrollTop()})},n=function(){var e=App.getViewPort().height-$(".page-header").outerHeight(!
0)-40;return $("body").hasClass("page-footer-fixed")&&(e-=$(".page-
footer").outerHeight()),e},r=function(){var e=$(".page-sidebar-menu");return

Oct 5, 2018, 5:40 PM 102

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low

App.destroySlimScroll(e),0===$(".page-sidebar-fixed").size()?void
i():void(App.getViewPort().width>=s&&(e.attr("data-
height",n()),App.initSlimScroll(e),i()))},p=function(){var e=$("body");e.hasClass("page-
sidebar-fixed")&&$(".page-sidebar").on("mouseenter",function(){e.hasClass("page-sidebar-
closed")&&$(this).find(".page-sidebar-menu").removeClass("page-sidebar-menu-
closed")}).on("mouseleave",function(){e.hasClass("page-sidebar-closed")&&$(this).find(".page-
sidebar-menu").addClass("page-sidebar-menu-closed")})},d=function(){var e=$("body");
$.cookie&&"1"===$.cookie("sidebar_closed")&&App.getViewPort().width>=s&&($
("body").addClass("page-sidebar-closed"),$(".page-sidebar-menu").addClass("page-sidebar-menu-
closed")),$("body").on("click",".sidebar-toggler",function(a){var s=$(".page-sidebar"),i=$
(".page-sidebar-menu");$(".sidebar-search",s).removeClass("open"),e.hasClass("page-sidebar-
closed")?(e.removeClass("page-sidebar-closed"),i.removeClass("page-sidebar-menu-closed"),
$.cookie&&$.cookie("sidebar_closed","0")):(e.addClass("page-sidebar-closed"),i.addClass("page-
sidebar-menu-closed"),e.hasClass("page-sidebar-fixed")&&i.trigger("mouseleave"),$.cookie&&
$.cookie("sidebar_closed","1")),$(window).trigger("resize")}),p(),$(".page-
sidebar").on("click",".sidebar-search .remove",function(e){e.preventDefault(),$(".sidebar-
search").removeClass("open")}),$(".page-sidebar .sidebar-search").on("keypress","input.form-
control",function(e){return 13==e.which?($(".sidebar-search").submit(),!1):void 0}),$
(".sidebar-search .submit").on("click",function(e){e.preventDefault(),$("body").hasClass("page-
sidebar-closed")&&$(".sidebar-search").hasClass("open")===!1?(1===$(".page-sidebar-
fixed").size()&&$(".page-sidebar .sidebar-toggler").click(),$(".sidebar-
search").addClass("open")):$(".sidebar-search").submit()}),0!==$(".sidebar-search").size()&&($
(".sidebar-search .input-group").on("click",function(e){e.stopPropagation()}),$
("body").on("click",function(){$(".sidebar-search").hasClass("open")&&$(".sidebar-
search").removeClass("open")}))},l=function(){$(".page-header").on("click",".search-
form",function(e){$(this).addClass("open"),$(this).find(".form-control").focus(),$(".page-
header .search-form .form-control").on("blur",function(e){$(this).closest(".search-
form").removeClass("open"),$(this).unbind("blur")})}),$(".page-header").on("keypress",".hor-
menu .search-form .form-control",function(e){return 13==e.which?($(this).closest(".search-
form").submit(),!1):void 0}),$(".page-header").on("mousedown",".search-
form.open .submit",function(e){e.preventDefault(),e.stopPropagation(),$(this).closest(".search-
form").submit()})},c=function(){var e=300,a=500;navigator.userAgent.match(/iPhone|iPad|iPod/i)?
$(window).bind("touchend touchcancel touchleave",function(s){$(this).scrollTop()>e?$(".scroll-
to-top").fadeIn(a):$(".scroll-to-top").fadeOut(a)}):$(window).scroll(function(){$
(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$(".scroll-to-top").fadeOut(a)}),$(".scroll-
to-top").click(function(e){return e.preventDefault(),$("html, body").animate({scrollTop:0},a),!
1})};return{initHeader:function(){l()},setSidebarMenuActiveLink:function(e,a)
{t(e,a)},initSidebar:function()
{r(),o(),d(),App.isAngularJsApp()&&t("match"),App.addResizeHandler(r)},initContent:function()
{},initFooter:function(){c()},init:function()
{this.initHeader(),this.initSidebar(),this.initContent(),this.initFooter()},fixContentHeight:function()
{},initFixedSidebarHoverEffect:function(){p()},initFixedSidebar:function()
{r()},getLayoutImgPath:function(){return App.getAssetsPath()+e},getLayoutCssPath:function()
{return App.getAssetsPath()+a}}}();App.isAngularJsApp()===!1&&jQuery(document).ready(function()
{Layout.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined

Oct 5, 2018, 5:40 PM 103

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.modules.js
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/
Low
regmcu.js, line 50 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/

Low
QuestionRelation.js, line 9 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Oct 5, 2018, 5:40 PM 104

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.obj.Release.Package.PackageTmp.assets.modules.js
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/assets/modules/js/regmcu.js, line 50 (JavaScript Hijacking: Low
Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.

1.10.2.Content.Scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/
Content/Scripts/jquery-1.10.2-vsdoc.js, line 468 (JavaScript Hijacking: Vulnerable Low
Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Data Flow)

Source Details
Source: Read type
From: _evalUrl
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Conte
nt/Scripts/jquery-1.10.2-vsdoc.js:470
467
468 return jQuery.ajax({
469 url: url,
470 type: "GET",
471 dataType: "script",
472 async: false,
473 global: false,

Oct 5, 2018, 5:40 PM 105

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.
1.10.2.Content.Scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/
Content/Scripts/jquery-1.10.2-vsdoc.js, line 468 (JavaScript Hijacking: Vulnerable Low
Framework)

Sink Details
Sink: ajax()
Enclosing Method: _evalUrl()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Content/Scripts/jquery-1.10.2-vsdoc.js:
468
Taint Flags: HTTP_GET
465 };
466 jQuery._evalUrl = function( url ) {
467
468 return jQuery.ajax({
469 url: url,
470 type: "GET",
471 dataType: "script",

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/

Content/Scripts/jquery-1.10.2-vsdoc.js, line 1854 (JavaScript Hijacking: Low
Vulnerable Framework)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/

Content/Scripts/jquery-1.10.2-vsdoc.js, line 1841 (JavaScript Hijacking: Low
Vulnerable Framework)
Issue Details

Oct 5, 2018, 5:40 PM 106

© Copyright 2016 Hewlett Packard Enterprise Development LP
JavaScript Hijacking: Vulnerable Framework Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.
1.10.2.Content.Scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/
Content/Scripts/jquery-1.10.2-vsdoc.js, line 1841 (JavaScript Hijacking: Low
Vulnerable Framework)

Kingdom: Encapsulation
Scan Engine: SCA (Structural)

Oct 5, 2018, 5:40 PM 107

Abstract
Storing passwords or password details in plaintext anywhere in the system or system code may
compromise system security in a way that cannot be easily remedied.

Explanation
It is never a good idea to hardcode a password. Storing password details within comments is equivalent to
hardcoding passwords. Not only does it allow all of the project's developers to view the password, it also
makes fixing the problem extremely difficult. Once the code is in production, the password is now leaked to
the outside world and cannot be protected or changed without patching the software. If the account
protected by the password is compromised, the owners of the system will be forced to choose between
security and availability.

Example: The following comment specifies the default password to connect to a database:

...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...

This code will run successfully, but anyone who has access to it will have access to the password. Once
the program has shipped, there is likely no way to change the database user "scott" with a password of
"tiger" unless the program is patched. An employee with access to this information could use it to break into
the system.

Recommendation
Passwords should never be hardcoded and should generally be obfuscated and managed in an external
source. Storing passwords in plaintext anywhere on the system allows anyone with sufficient permissions
to read and potentially misuse the password.

Issue Summary

Oct 5, 2018, 5:40 PM 108

Password Management: Password in Comment Low

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
Low
app.js, line 515 (Password Management: Password in Comment)
Issue Details
Kingdom: Security Features
Scan Engine: SCA (Structural)

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/app.js:515
Taint Flags:
512 // Fix input placeholder issue for IE8 and IE9
513 var handleFixInputPlaceholderForIE = function() {
514 //fix html5 placeholder attribute for ie7 & ie8
515 if (isIE8 || isIE9) { // ie8 & ie9
516 // this is html5 placeholder fix for inputs, inputs with placeholder-no-fix class will be
skipped(e.g: we need this for password fields)
517 $('input[placeholder]:not(.placeholder-no-fix), textarea[placeholder]:not(.placeholder-no-
fix)').each(function() {
518 var input = $(this);

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.1.10.2.Tools

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/
Tools/jquery-1.10.2.intellisense.js, line 2042 (Password Management: Password Low
in Comment)
Issue Details
Kingdom: Security Features
Scan Engine: SCA (Structural)

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Tools/jquery-1.10.2.intellisense.js:
2042
Taint Flags:
2039 /// <returns type="jQuery" />
2040 /// </signature>
2041 },
2042 'password': function() {
2043 /// <summary>Selects all elements of type password.</summary>
2044 },

Oct 5, 2018, 5:40 PM 109

© Copyright 2016 Hewlett Packard Enterprise Development LP
Password Management: Password in Comment Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.1.10.2.Tools
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/
Tools/jquery-1.10.2.intellisense.js, line 2042 (Password Management: Password Low
in Comment)
2045 'position': function() {

Oct 5, 2018, 5:40 PM 110

Abstract
Storing a plaintext password in a configuration file could result in a system compromise.

Explanation
Storing a plaintext password in a configuration file allows anyone who can read the file access to the
password-protected resource. Developers sometimes believe that they cannot defend the application from
someone who has access to the configuration, but this attitude makes an attacker's job easier. Good
password management guidelines require that a password never be stored in plaintext.

Recommendation
A password should never be stored in plaintext. Instead, the password should be entered by an
administrator when the system starts. If that approach is impractical, a less secure but often adequate
solution is to obfuscate the password and scatter the de-obfuscation material around the system so that an
attacker has to obtain and correctly combine multiple system resources to decipher the password.

Microsoft(R) provides a tool that can be used in conjunction with the Windows Data Protection application
programming interface (DPAPI) to protect sensitive application entries in configuration files [1].

Issue Summary

Engine Breakdown
SCA WebInspect SecurityScope Total
Password Management: Password in Configuration 4 0 0 4
File
Total 4 0 0 4

Password Management: Password in Configuration File High

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Web.config, line 12
High
(Password Management: Password in Configuration File)
Issue Details
Kingdom: Environment
Scan Engine: SCA (Configuration)

Oct 5, 2018, 5:40 PM 111

© Copyright 2016 Hewlett Packard Enterprise Development LP
Password Management: Password in Configuration File High
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Web.config, line 12
High
(Password Management: Password in Configuration File)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Web.config:12
Taint Flags:
9 </configSections>
10 <connectionStrings>
11 
12 <add name="CLSConnection" connectionString="SA394s7WzOjyM/CMsB7BY59zlVOpHiwn4Vfny0s
+Qr4LZ87NHyoZZCpevEcKRn1NnRew9DiFAVsotG8ld7k+bUHrpoyDMWysd/8fhvkjAlePS4PWDMtgSbj09+aPF
+wqJjHosADPe2rwPNntKVWVUg==" providerName="System.Data.SqlClient"/>
13 <add name="AMCConnection" connectionString="yr1zGB/
XYT0XWPNJZZImrWgC3k9ZfpCqMc7xOb1NcDIUbHVeJhmhb5IELJJ6XLeUDuMUb23eGu8lvClIEgz58KE/MsG8T/
Y0PQ8Ec01yMW1AU/81zWjLh8Owyadu2z5+RyuQNWJgtsoAHMdEvCC2j/ThcRdcIpiVepILjHgustc="
providerName="System.Data.SqlClient"/>
14 </connectionStrings>
15 <appSettings>

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.bin

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/bin/CLS.dll.config, line
High
12 (Password Management: Password in Configuration File)
Issue Details
Kingdom: Environment
Scan Engine: SCA (Configuration)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/bin/CLS.dll.config:12
Taint Flags:
9 </configSections>
10 <connectionStrings>
11 
12 <add name="CLSConnection" connectionString="SA394s7WzOjyM/CMsB7BY59zlVOpHiwn4Vfny0s
+Qr4LZ87NHyoZZCpevEcKRn1NnRew9DiFAVsotG8ld7k+bUHrpoyDMWysd/8fhvkjAlePS4PWDMtgSbj09+aPF
+wqJjHosADPe2rwPNntKVWVUg==" providerName="System.Data.SqlClient"/>
13 <add name="AMCConnection" connectionString="yr1zGB/
XYT0XWPNJZZImrWgC3k9ZfpCqMc7xOb1NcDIUbHVeJhmhb5IELJJ6XLeUDuMUb23eGu8lvClIEgz58KE/MsG8T/
Y0PQ8Ec01yMW1AU/81zWjLh8Owyadu2z5+RyuQNWJgtsoAHMdEvCC2j/ThcRdcIpiVepILjHgustc="
providerName="System.Data.SqlClient"/>
14 </connectionStrings>
15 <appSettings>

Oct 5, 2018, 5:40 PM 112

© Copyright 2016 Hewlett Packard Enterprise Development LP
Password Management: Password in Configuration File High
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.obj.Release.TransformWebConfig.original
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/
TransformWebConfig/original/Web.config, line 12 (Password Management: High
Password in Configuration File)
Issue Details
Kingdom: Environment
Scan Engine: SCA (Configuration)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/TransformWebConfig/original/Web.config:12
Taint Flags:
9 </configSections>
10 <connectionStrings>
11 
12 <add name="CLSConnection" connectionString="SA394s7WzOjyM/CMsB7BY59zlVOpHiwn4Vfny0s
+Qr4LZ87NHyoZZCpevEcKRn1NnRew9DiFAVsotG8ld7k+bUHrpoyDMWysd/8fhvkjAlePS4PWDMtgSbj09+aPF
+wqJjHosADPe2rwPNntKVWVUg==" providerName="System.Data.SqlClient"/>
13 <add name="AMCConnection" connectionString="yr1zGB/
XYT0XWPNJZZImrWgC3k9ZfpCqMc7xOb1NcDIUbHVeJhmhb5IELJJ6XLeUDuMUb23eGu8lvClIEgz58KE/MsG8T/
Y0PQ8Ec01yMW1AU/81zWjLh8Owyadu2z5+RyuQNWJgtsoAHMdEvCC2j/ThcRdcIpiVepILjHgustc="
providerName="System.Data.SqlClient"/>
14 </connectionStrings>
15 <appSettings>

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.TransformWebConfig.transformed
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/
TransformWebConfig/transformed/Web.config, line 12 (Password Management: High
Password in Configuration File)
Issue Details
Kingdom: Environment
Scan Engine: SCA (Configuration)

Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/TransformWebConfig/transformed/
Web.config:12
Taint Flags:
9 </configSections>
10 <connectionStrings>
11 
12 <add name="CLSConnection" connectionString="SA394s7WzOjyM/CMsB7BY59zlVOpHiwn4Vfny0s
+Qr4LZ87NHyoZZCpevEcKRn1NnRew9DiFAVsotG8ld7k+bUHrpoyDMWysd/8fhvkjAlePS4PWDMtgSbj09+aPF
+wqJjHosADPe2rwPNntKVWVUg==" providerName="System.Data.SqlClient" />

Oct 5, 2018, 5:40 PM 113

© Copyright 2016 Hewlett Packard Enterprise Development LP
Password Management: Password in Configuration File High
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.obj.Release.TransformWebConfig.transformed
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/
TransformWebConfig/transformed/Web.config, line 12 (Password Management: High
Password in Configuration File)
13 <add name="AMCConnection" connectionString="yr1zGB/
XYT0XWPNJZZImrWgC3k9ZfpCqMc7xOb1NcDIUbHVeJhmhb5IELJJ6XLeUDuMUb23eGu8lvClIEgz58KE/MsG8T/
Y0PQ8Ec01yMW1AU/81zWjLh8Owyadu2z5+RyuQNWJgtsoAHMdEvCC2j/ThcRdcIpiVepILjHgustc="
providerName="System.Data.SqlClient" />
14 </connectionStrings>
15 <appSettings>

Oct 5, 2018, 5:40 PM 114

Abstract
Ignoring an exception can cause the program to overlook unexpected states and conditions.

Explanation
Just about every serious attack on a software system begins with the violation of a programmer's
assumptions. After the attack, the programmer's assumptions seem flimsy and poorly founded, but before
an attack many programmers would defend their assumptions well past the end of their lunch break.

Two dubious assumptions that are easy to spot in code are "this method call can never fail" and "it doesn't
matter if this call fails". When programmers ignore exceptions, they implicitly state that they are operating
under one of these assumptions.

Example 1: The following code excerpt ignores a rarely-thrown exception from DoExchange().

try {
DoExchange();
}
catch (RareException e) {
// this can never happen
}

If a RareException were to ever be thrown, the program would continue to execute as though nothing
unusual had occurred. The program records no evidence indicating the special situation, potentially
frustrating any later attempt to explain the program's behavior.

Recommendation
At a minimum, log the fact that the exception was thrown so that it will be possible to come back later and
make sense of the resulting program behavior. Better yet, abort the current operation.

Example 2: The code in Example 1 could be rewritten in the following way:

try {
DoExchange();
}
catch (RareException e) {
Log.Error("This can never happen: " + e);
}

Issue Summary

Oct 5, 2018, 5:40 PM 115

Poor Error Handling: Empty Catch Block Low

Package: CLS.Utils
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs, line 22
Low
(Poor Error Handling: Empty Catch Block)
Issue Details
Kingdom: Errors
Scan Engine: SCA (Structural)

Sink Details
Sink: CatchBlock
Enclosing Method: Encrypt()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs:22
Taint Flags:
19 {
20 encData = EncryptStringToBytes_Aes(data, keys[0], keys[1]);
21 }
22 catch (CryptographicException) { }
23 catch (ArgumentNullException) { }
24
25 return encData;

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs, line 23

Low
(Poor Error Handling: Empty Catch Block)
Issue Details
Kingdom: Errors
Scan Engine: SCA (Structural)

Sink Details
Sink: CatchBlock
Enclosing Method: Encrypt()

Oct 5, 2018, 5:40 PM 116

© Copyright 2016 Hewlett Packard Enterprise Development LP
Poor Error Handling: Empty Catch Block Low
Package: CLS.Utils
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs, line 23
(Poor Error Handling: Empty Catch Block) Low

File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs:23

Taint Flags:
20 encData = EncryptStringToBytes_Aes(data, keys[0], keys[1]);
21 }
22 catch (CryptographicException) { }
23 catch (ArgumentNullException) { }
24
25 return encData;
26 }

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs, line 37

Low
(Poor Error Handling: Empty Catch Block)
Issue Details
Kingdom: Errors
Scan Engine: SCA (Structural)

Sink Details
Sink: CatchBlock
Enclosing Method: Decrypt()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs:37
Taint Flags:
34 {
35 decData = DecryptStringFromBytes_Aes(data, keys[0], keys[1]);
36 }
37 catch (CryptographicException) { }
38 catch (ArgumentNullException) { }
39
40 return decData;

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs, line 38

Low
(Poor Error Handling: Empty Catch Block)
Issue Details
Kingdom: Errors
Scan Engine: SCA (Structural)

Sink Details
Sink: CatchBlock
Enclosing Method: Decrypt()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs:38
Taint Flags:
35 decData = DecryptStringFromBytes_Aes(data, keys[0], keys[1]);
36 }

Oct 5, 2018, 5:40 PM 117

37 catch (CryptographicException) { }
38 catch (ArgumentNullException) { }
39
40 return decData;
41 }

Oct 5, 2018, 5:40 PM 118

Abstract
Not all FOSS licenses are acceptable for use at CIGNA or in CIGNA projects, of the variety of licenses
used by free and open source software many either constrain usage or impose requirements that are not
conducive to CIGNA policies and business practices.

Explanation
Some licenses are approved for use at CIGNA, however software using them must be requested via the
Open Source Software Working Group (OS-WG). The OS-WG will check for legal approval as well as more
general suitability for use at CIGNA.

Recommendation
This software may already be on the list of globally approved software at http://confluence.sys.cigna.com/
confluence/download/attachments/28312609/ComponentsByApplicationOrUseCategory.pdf
-- however if it is not you must request it by following the Request process (see: http://
confluence.sys.cigna.com/confluence/display/EATechArch/Open+Source+FAQ#OpenSourceFAQ-
HowdoIrequestopensourcesoftware%3F )

International users, please contact your local Fortify lead.

Issue Summary

Engine Breakdown
SCA WebInspect SecurityScope Total
Potentially Banned License: Creative Commons 1 0 0 1
Total 1 0 0 1

Potentially Banned License: Creative Commons High

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.datatables
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
datatables/datatables.js, line 26144 (Potentially Banned License: Creative High
Commons)
Issue Details

Oct 5, 2018, 5:40 PM 119

© Copyright 2016 Hewlett Packard Enterprise Development LP
Potentially Banned License: Creative Commons High
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.datatables
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
datatables/datatables.js, line 26144 (Potentially Banned License: Creative High
Commons)

Kingdom: Unknown - Custom Issue

Scan Engine: SCA (Structural)

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/datatables/datatables.js:26144
Taint Flags:
26141
26142 /* jslint node: true */
26143 'use strict';
26144 /*jshint -W004 */
26145 /* qr.js -- QR code generator in Javascript (revision 2011-01-19)
26146 * Written by Kang Seonghoon <[email protected]>.
26147 *

Oct 5, 2018, 5:40 PM 120

International users, please contact your local Fortify lead.

Issue Summary

Engine Breakdown
SCA WebInspect SecurityScope Total
Potentially Banned License: GPL 8 0 0 8
Total 8 0 0 8

Potentially Banned License: GPL High

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.apps.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/apps/scripts/
High
jquery.numeric_input.min.js, line 0 (Potentially Banned License: GPL)
Issue Details
Kingdom: Unknown - Custom Issue

Oct 5, 2018, 5:40 PM 121

© Copyright 2016 Hewlett Packard Enterprise Development LP
Potentially Banned License: GPL High
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.apps.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/apps/scripts/
High
jquery.numeric_input.min.js, line 0 (Potentially Banned License: GPL)

Scan Engine: SCA (Structural)

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/apps/scripts/jquery.numeric_input.min.js:0
Taint Flags:
1 /*
2 * jQuery Numeric Input - v0.1.3 - 2013-08-27
3 * https://github.com/manuelvanrijn/jquery-numeric_input
4 * Copyright (c) 2013 Manuel van Rijn
5 * Licensed MIT, GPL
6 */
7 (function(e,t,n,r){var i=function(t,n){this.elem=t,this.
$elem=e(t),this.options=n};i.prototype={init:function(){var
t=this;t.options=e.extend({},e.fn.numeric_input.defaults,t.options),t.
$elem.keypress(function(e){t.preventDefaultForKeyCode(e.which)===!0&&e.preventDefault();var
n=t.getNewValueForKeyCode(e.which,t.$elem.val());n!==!1&&t.
$elem.val(n)}),t.options.parseOnBlur===!0&&t.$elem.blur(function(e){var n=t.parseValue(t.
$elem.val());t.$elem.val(n)});if(t.options.initialParse===!0){var n=t.parseValue(t.
$elem.val());t.$elem.val(n)}return t},preventDefaultForKeyCode:function(e)
{if(e>=48&&e<=57)return!1;switch(e){case 0:case 8:case 9:case 35:case 36:case 37:case 39:case
144:return!1;default:return!0}},getNewValueForKeyCode:function(t,n){if(t===44||t===46||
t===188||t===190)if(n.indexOf(this.options.decimal)===-1)return
e.trim(n)===""&&this.options.leadingZeroCheck&&(n="0"),n+this.options.decimal;return
t===45&&this.options.allowNegative&&n.charAt(0)!=="-"?"-"+n:!1},parseValue:function(e){var t=!
1,n=e.replace(/[A-Za-z$]/g,"");n.indexOf("-")!==-1&&(n=n.replace("-",""),t=!
0);if(n.indexOf(".")!==-1||n.indexOf(",")!
==-1)n=n.replace(".",this.options.decimal),n=n.replace(",",this.options.decimal);return
n.indexOf(this.options.decimal)===0&&(n="0"+n),t===!0&&this.options.allowNegative===!
0&&(n="-"+n),n}},e.fn.numeric_input=function(t){return this.each(function()
{e.data(this,"numeric_input")||e.data(this,"numeric_input",(new
i(this,t)).init())})},e.fn.numeric_input.defaults={decimal:",",leadingZeroCheck:!
0,initialParse:!0,parseOnBlur:!0,allowNegative:!1}})(jQuery,window,document);

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
High
jquery.blockui.min.js, line 2 (Potentially Banned License: GPL)
Issue Details
Kingdom: Unknown - Custom Issue
Scan Engine: SCA (Structural)

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery.blockui.min.js:2
Taint Flags:
1 /*!
2 * jQuery blockUI plugin

Oct 5, 2018, 5:40 PM 122

© Copyright 2016 Hewlett Packard Enterprise Development LP
Potentially Banned License: GPL High
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
High
jquery.blockui.min.js, line 2 (Potentially Banned License: GPL)
3 * Version 2.70.0-2014.11.23
4 * Requires jQuery v1.7 or later
5 *
6 * Examples at: http://malsup.com/jquery/block/
7 * Copyright (c) 2007-2013 M. Alsup

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/

High
respond.min.js, line 4 (Potentially Banned License: GPL)
Issue Details
Kingdom: Unknown - Custom Issue
Scan Engine: SCA (Structural)

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/respond.min.js:4
Taint Flags:
1 /*! matchMedia() polyfill - Test a CSS media type/query in JS. Authors & copyright (c) 2012:
Scott Jehl, Paul Irish, Nicholas Zakas. Dual MIT/BSD license */
2 /*! NOTE: If you're already including a window.matchMedia polyfill via Modernizr or
otherwise, you don't need this part */
3 window.matchMedia=window.matchMedia||function(a){"use strict";var
c,d=a.documentElement,e=d.firstElementChild||
d.firstChild,f=a.createElement("body"),g=a.createElement("div");return g.id="mq-
test-1",g.style.cssText="position:absolute;top:-100em",f.style.background="none",f.appendChild(g),functio
{return g.innerHTML='<style media="'+a+'"> #mq-test-1 { width: 42px; }</
style>',d.insertBefore(f,e),c=42===g.offsetWidth,d.removeChild(f),{matches:c,media:a}}}
(document);
4
5 /*! Respond.js v1.1.0: min/max-width media query polyfill. (c) Scott Jehl. MIT/GPLv2 Lic.
j.mp/respondjs */
6 (function(a){"use strict";function x(){u(!0)}var b={};if(a.respond=b,b.update=function()
{},b.mediaQueriesSupported=a.matchMedia&&a.matchMedia("only all").matches,!
b.mediaQueriesSupported){var
q,r,t,c=a.document,d=c.documentElement,e=[],f=[],g=[],h={},i=30,j=c.getElementsByTagName("head")
[0]||d,k=c.getElementsByTagName("base")[0],l=j.getElementsByTagName("link"),m=[],n=function()
{for(var b=0;l.length>b;b++){var
c=l[b],d=c.href,e=c.media,f=c.rel&&"stylesheet"===c.rel.toLowerCase();d&&f&&!
h[d]&&(c.styleSheet&&c.styleSheet.rawCssText?(p(c.styleSheet.rawCssText,d,e),h[d]=!0):(!/^([a-
zA-Z:]*\/\/)/.test(d)&&!k||d.replace(RegExp.$1,"").split("/")
[0]===a.location.host)&&m.push({href:d,media:e}))}o()},o=function(){if(m.length){var
b=m.shift();v(b.href,function(c){p(c,b.href,b.media),h[b.href]=!0,a.setTimeout(function(){o()},
0)})}},p=function(a,b,c){var d=a.match(/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/
gi),g=d&&d.length||0;b=b.substring(0,b.lastIndexOf("/"));var h=function(a){return a.replace(/
(url$)['"]?([^\/$'"][^:\)'"]+)['"]?(\))/g,"$1"+b+"$2$3")},i=!g&&c;b.length&&(b
+="/"),i&&(g=1);for(var j=0;g>j;j++){var k,l,m,n;i?(k=c,f.push(h(a))):(k=d[j].match(/@media
*([^\{]+)\{([\S\s]+?)$/)&&RegExp.$1,f.push(RegExp.$2&&h(RegExp.
$2))),m=k.split(","),n=m.length;for(var o=0;n>o;o++)l=m[o],e.push({media:l.split("(")
[0].match(/(only\s+)?([a-zA-Z]+)\s?/)&&RegExp.
$2||"all",rules:f.length-1,hasquery:l.indexOf("(")>-1,minw:l.match(/$\s*min\-width\s*:
\s*(\s*[0-9\.]+)(px|em)\s*$/)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:l.match(/\(\s*max\-

Oct 5, 2018, 5:40 PM 123

width\s*:\s*(\s*[0-9\.]+)(px|em)\s*\)/)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}
u()},s=function(){var a,b=c.createElement("div"),e=c.body,f=!1;return
b.style.cssText="position:absolute;font-size:1em;width:1em",e||
(e=f=c.createElement("body"),e.style.background="none"),e.appendChild(b),d.insertBefore(e,d.firstChild),a
d.removeChild(e):e.removeChild(b),a=t=parseFloat(a)},u=function(b){var
h="clientWidth",k=d[h],m="CSS1Compat"===c.compatMode&&k||c.body[h]||
k,n={},o=l[l.length-1],p=(new Date).getTime();if(b&&q&&i>p-q)return
a.clearTimeout(r),r=a.setTimeout(u,i),void 0;q=p;for(var v in e)if(e.hasOwnProperty(v)){var
w=e[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?t||
s():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?t||s():1)),w.hasquery&&(z&&A||!(z||m>=x)||!(A||
y>=m))||(n[w.media]||(n[w.media]=[]),n[w.media].push(f[w.rules]))}for(var C in
g)g.hasOwnProperty(C)&&g[C]&&g[C].parentNode===j&&j.removeChild(g[C]);for(var D in
n)if(n.hasOwnProperty(D)){var E=c.createElement("style"),F=n[D].join("\n");E.type="text/
css",E.media=D,j.insertBefore(E,o.nextSibling),E.styleSheet?
E.styleSheet.cssText=F:E.appendChild(c.createTextNode(F)),g.push(E)}},v=function(a,b){var
c=w();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!
==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))},w=function()
{var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}
return function(){return b}}();n(),b.update=n,a.addEventListener?
a.addEventListener("resize",x,!1):a.attachEvent&&a.attachEvent("onresize",x)}})(this);
7

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.datatables

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
High
datatables/datatables.js, line 12 (Potentially Banned License: GPL)
Issue Details
Kingdom: Unknown - Custom Issue
Scan Engine: SCA (Structural)

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/datatables/datatables.js:12
Taint Flags:
9 * Included libraries:
10 * JSZip 2.5.0, pdfmake 0.1.18, DataTables 1.10.10, AutoFill 2.1.0, Buttons 1.1.0, Column
visibility 1.1.0, Flash export 1.1.0, HTML5 export 1.1.0, Print view 1.1.0, ColReorder 1.3.0,
FixedColumns 3.2.0, FixedHeader 3.1.0, Responsive 2.0.0, RowReorder 1.1.0, Scroller 1.4.0,
Select 1.1.0
11 */
12
13 /*!
14
15 JSZip - A Javascript class for generating and reading zip files

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/

High
datatables/datatables.min.js, line 14 (Potentially Banned License: GPL)
Issue Details

Oct 5, 2018, 5:40 PM 124

Kingdom: Unknown - Custom Issue

Scan Engine: SCA (Structural)

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/datatables/datatables.min.js:14
Taint Flags:
11 */
12
13 /*!
14
15 JSZip - A Javascript class for generating and reading zip files
16 <http://stuartk.com/jszip>
17

Package: Code.Sampoerna.Credit Life.5th Scan.

20181005_CLS.CLS.obj.Release.Package.PackageTmp.assets.apps.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/assets/apps/scripts/jquery.numeric_input.min.js, line 1 (Potentially High
Banned License: GPL)
Issue Details
Kingdom: Unknown - Custom Issue
Scan Engine: SCA (Structural)

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/assets/apps/scripts/
jquery.numeric_input.min.js:1
Taint Flags:
1 /*
2 * jQuery Numeric Input - v0.1.3 - 2013-08-27
3 * https://github.com/manuelvanrijn/jquery-numeric_input
4 * Copyright (c) 2013 Manuel van Rijn
5 * Licensed MIT, GPL
6 */
7 (function(e,t,n,r){var i=function(t,n){this.elem=t,this.
$elem=e(t),this.options=n};i.prototype={init:function(){var
t=this;t.options=e.extend({},e.fn.numeric_input.defaults,t.options),t.
$elem.keypress(function(e){t.preventDefaultForKeyCode(e.which)===!0&&e.preventDefault();var
n=t.getNewValueForKeyCode(e.which,t.$elem.val());n!==!1&&t.
$elem.val(n)}),t.options.parseOnBlur===!0&&t.$elem.blur(function(e){var n=t.parseValue(t.
$elem.val());t.$elem.val(n)});if(t.options.initialParse===!0){var n=t.parseValue(t.
$elem.val());t.$elem.val(n)}return t},preventDefaultForKeyCode:function(e)
{if(e>=48&&e<=57)return!1;switch(e){case 0:case 8:case 9:case 35:case 36:case 37:case 39:case
144:return!1;default:return!0}},getNewValueForKeyCode:function(t,n){if(t===44||t===46||

Oct 5, 2018, 5:40 PM 125

© Copyright 2016 Hewlett Packard Enterprise Development LP
Potentially Banned License: GPL High
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.obj.Release.Package.PackageTmp.assets.apps.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/assets/apps/scripts/jquery.numeric_input.min.js, line 1 (Potentially High
Banned License: GPL)
t===188||t===190)if(n.indexOf(this.options.decimal)===-1)return
e.trim(n)===""&&this.options.leadingZeroCheck&&(n="0"),n+this.options.decimal;return
t===45&&this.options.allowNegative&&n.charAt(0)!=="-"?"-"+n:!1},parseValue:function(e){var t=!
1,n=e.replace(/[A-Za-z$]/g,"");n.indexOf("-")!==-1&&(n=n.replace("-",""),t=!
0);if(n.indexOf(".")!==-1||n.indexOf(",")!
==-1)n=n.replace(".",this.options.decimal),n=n.replace(",",this.options.decimal);return
n.indexOf(this.options.decimal)===0&&(n="0"+n),t===!0&&this.options.allowNegative===!
0&&(n="-"+n),n}},e.fn.numeric_input=function(t){return this.each(function()
{e.data(this,"numeric_input")||e.data(this,"numeric_input",(new
i(this,t)).init())})},e.fn.numeric_input.defaults={decimal:",",leadingZeroCheck:!
0,initialParse:!0,parseOnBlur:!0,allowNegative:!1}})(jQuery,window,document);

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.

1.10.2.Content.Scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/
High
Content/Scripts/jquery-1.10.2-vsdoc.js, line 2 (Potentially Banned License: GPL)
Issue Details
Kingdom: Unknown - Custom Issue
Scan Engine: SCA (Structural)

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Content/Scripts/jquery-1.10.2-vsdoc.js:
2
Taint Flags:
1 /* NUGET: BEGIN LICENSE TEXT
2 *
3 * Microsoft grants you the right to use these script files for the sole
4 * purpose of either: (i) interacting through your browser with the Microsoft
5 * website or online service, subject to the applicable licensing or use
6 * terms; or (ii) using the files as included with a Microsoft product subject
7 * to that product's license terms. Microsoft reserves all other rights to the

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.1.10.2.Tools

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/
High
Tools/jquery-1.10.2.intellisense.js, line 0 (Potentially Banned License: GPL)
Issue Details
Kingdom: Unknown - Custom Issue
Scan Engine: SCA (Structural)

Sink Details
Sink: Comment

Oct 5, 2018, 5:40 PM 126

© Copyright 2016 Hewlett Packard Enterprise Development LP
Potentially Banned License: GPL High
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.1.10.2.Tools
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/
High
Tools/jquery-1.10.2.intellisense.js, line 0 (Potentially Banned License: GPL)

File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Tools/jquery-1.10.2.intellisense.js:0

Taint Flags:
1 /* NUGET: BEGIN LICENSE TEXT
2 *
3 * Microsoft grants you the right to use these script files for the sole
4 * purpose of either: (i) interacting through your browser with the Microsoft
5 * website or online service, subject to the applicable licensing or use
6 * terms; or (ii) using the files as included with a Microsoft product subject
7 * to that product's license terms. Microsoft reserves all other rights to the

Oct 5, 2018, 5:40 PM 127

PAN9 EDU210 Lab 14
No ratings yet
PAN9 EDU210 Lab 14
12 pages
BurpSuite Bootcamp v1
100% (1)
BurpSuite Bootcamp v1
111 pages
Webgoat DeveloperWorkbook
No ratings yet
Webgoat DeveloperWorkbook
279 pages
Report Sast Riches 1.0
No ratings yet
Report Sast Riches 1.0
264 pages
dqs_backend-code-scan-v1.0.0 26NOV2024 DeveloperWorkbook
No ratings yet
dqs_backend-code-scan-v1.0.0 26NOV2024 DeveloperWorkbook
39 pages
SCAN RESULTS GRP CPE Mikrotik RF1510617
No ratings yet
SCAN RESULTS GRP CPE Mikrotik RF1510617
10 pages
PAN9 EDU210 Lab 12
No ratings yet
PAN9 EDU210 Lab 12
29 pages
Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
No ratings yet
Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
12 pages
Test LAB
No ratings yet
Test LAB
41 pages
Lab 10 Blocking Threats Using Custom Applications
No ratings yet
Lab 10 Blocking Threats Using Custom Applications
29 pages
008 1+OWASP+top+10
No ratings yet
008 1+OWASP+top+10
23 pages
PAN ACE7.0 100% Pass
87% (31)
PAN ACE7.0 100% Pass
112 pages
Lab 7 Blocking Threats From Known-Bad Sources
No ratings yet
Lab 7 Blocking Threats From Known-Bad Sources
88 pages
Lab 6 Blocking Packet and Protocol Based Attacks
No ratings yet
Lab 6 Blocking Packet and Protocol Based Attacks
48 pages
PAN9 EDU210 Lab 9
No ratings yet
PAN9 EDU210 Lab 9
24 pages
Getting Started BIG-IP Part2 AppDelivery Lab Guide PDF
No ratings yet
Getting Started BIG-IP Part2 AppDelivery Lab Guide PDF
23 pages
Palo Alto Networks - Edu-210: Document Version
No ratings yet
Palo Alto Networks - Edu-210: Document Version
31 pages
Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
No ratings yet
Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
9 pages
NDG Forensicsv2 Lab 03
No ratings yet
NDG Forensicsv2 Lab 03
52 pages
PAN9 EDU210 Lab 10
No ratings yet
PAN9 EDU210 Lab 10
61 pages
PAN-OS 8.0 ACE Exam
100% (3)
PAN-OS 8.0 ACE Exam
10 pages
Lab 12 Blocking Unknown Malware With Wildfire
No ratings yet
Lab 12 Blocking Unknown Malware With Wildfire
21 pages
Icc
No ratings yet
Icc
14 pages
Threat Intel Roundup OpenVPN eBPF AsyncRAT OpenSea
No ratings yet
Threat Intel Roundup OpenVPN eBPF AsyncRAT OpenSea
16 pages
Carbon SOCD Review Log Sprint 3: Revision History
No ratings yet
Carbon SOCD Review Log Sprint 3: Revision History
40 pages
0d1n Web Hacking Tool
No ratings yet
0d1n Web Hacking Tool
20 pages
VA Supporting Report
No ratings yet
VA Supporting Report
12 pages
TB3180 LIN Analyzer Library Demo 90003180A
No ratings yet
TB3180 LIN Analyzer Library Demo 90003180A
8 pages
Owasp 2021 Ebook
100% (1)
Owasp 2021 Ebook
15 pages
Ethical Hacking Lab 13
No ratings yet
Ethical Hacking Lab 13
31 pages
Vlab Demo - Using ASM For Web Vulnerabilities - v12.0.C PDF
No ratings yet
Vlab Demo - Using ASM For Web Vulnerabilities - v12.0.C PDF
22 pages
connectivity-fast-connect-201
No ratings yet
connectivity-fast-connect-201
50 pages
Lab2Modulo2 FullReport
No ratings yet
Lab2Modulo2 FullReport
342 pages
Lab 1 Creating A Zero Trust Environment PDF
No ratings yet
Lab 1 Creating A Zero Trust Environment PDF
24 pages
Website Vulnerability Scanner Report (Light)
No ratings yet
Website Vulnerability Scanner Report (Light)
3 pages
Lecture 3 - Application Server Attacks
No ratings yet
Lecture 3 - Application Server Attacks
38 pages
Va-Pre & Post Vulnerability Scan - JK
No ratings yet
Va-Pre & Post Vulnerability Scan - JK
36 pages
Palo Alto Networks Edu-210: Document Version
No ratings yet
Palo Alto Networks Edu-210: Document Version
38 pages
Pci Vulnerability Report
No ratings yet
Pci Vulnerability Report
310 pages
(pub)TBHM App v1
No ratings yet
(pub)TBHM App v1
64 pages
Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
No ratings yet
Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
13 pages
Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
No ratings yet
Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
13 pages
PAN9 EDU210 Lab 11
No ratings yet
PAN9 EDU210 Lab 11
20 pages
VLab Demo - Using ASM For Web Vulnerabilities - V12.0.0.01
No ratings yet
VLab Demo - Using ASM For Web Vulnerabilities - V12.0.0.01
21 pages
test (2)
No ratings yet
test (2)
87 pages
Requiem For A Vuln: What We Learned From Log4Shell and What Comes Next
No ratings yet
Requiem For A Vuln: What We Learned From Log4Shell and What Comes Next
33 pages
Netscout University - Lab - Router Profiled Automatic Threshold Configuration
No ratings yet
Netscout University - Lab - Router Profiled Automatic Threshold Configuration
6 pages
Phase2 Security Report
No ratings yet
Phase2 Security Report
64 pages
Palo Alto Networks Edu-210: Document Version
No ratings yet
Palo Alto Networks Edu-210: Document Version
31 pages
ISO27k Information Security Risk Assessment
100% (1)
ISO27k Information Security Risk Assessment
191 pages
PentestTools WebsiteScanner Report
No ratings yet
PentestTools WebsiteScanner Report
4 pages
Website_Penetration_pentester2_10.0.2.0_2024-02-20-14_33_36
No ratings yet
Website_Penetration_pentester2_10.0.2.0_2024-02-20-14_33_36
6 pages
Lab 12 Configuring HIP For Global Protect
No ratings yet
Lab 12 Configuring HIP For Global Protect
35 pages
PAN9 EDU210 Lab 7
No ratings yet
PAN9 EDU210 Lab 7
31 pages
Vmware Vsphere 6.7: Optimize and Scale: Document Version
No ratings yet
Vmware Vsphere 6.7: Optimize and Scale: Document Version
24 pages
solidprof
No ratings yet
solidprof
24 pages
Experiment 06: WWW - Oxid.it/cain - HTML
No ratings yet
Experiment 06: WWW - Oxid.it/cain - HTML
8 pages
Palo Alto Lab Guide Net Dev Group
No ratings yet
Palo Alto Lab Guide Net Dev Group
23 pages
Pan8 Cybersecurity Essentials Lab 2: Configuring Authentication
No ratings yet
Pan8 Cybersecurity Essentials Lab 2: Configuring Authentication
23 pages
The Antivirus Hacker's Handbook
From Everand
The Antivirus Hacker's Handbook
Joxean Koret
No ratings yet
Assignment - TA Ops Role
No ratings yet
Assignment - TA Ops Role
2 pages
1z0-819_3
No ratings yet
1z0-819_3
47 pages
Accelerating Your Aws Journey:: Migration & Modernization Ebook
No ratings yet
Accelerating Your Aws Journey:: Migration & Modernization Ebook
16 pages
Program Example 15 Control Arrays 1: Objectives
No ratings yet
Program Example 15 Control Arrays 1: Objectives
3 pages
DevOps UNIT 5
No ratings yet
DevOps UNIT 5
19 pages
OCA Java SE 8 Programmer I Certification Guide 1st Edition Mala Gupta All Chapters Instant Download
100% (1)
OCA Java SE 8 Programmer I Certification Guide 1st Edition Mala Gupta All Chapters Instant Download
65 pages
WORK - MD04 - Requirement List
No ratings yet
WORK - MD04 - Requirement List
13 pages
Cucumber JMeter MCQ AD
No ratings yet
Cucumber JMeter MCQ AD
11 pages
Employee Leave Management System
No ratings yet
Employee Leave Management System
60 pages
XPCE/Prolog Course Notes: VU University Amsterdam University of Amsterdam
No ratings yet
XPCE/Prolog Course Notes: VU University Amsterdam University of Amsterdam
51 pages
Chapter Sixteen: An Introduction To Agile Project Management
No ratings yet
Chapter Sixteen: An Introduction To Agile Project Management
25 pages
CS 606 Skill Dev Lab - 7TO 10 - 1648109707
No ratings yet
CS 606 Skill Dev Lab - 7TO 10 - 1648109707
12 pages
Goods Service Tax (GST) For Super Market Project Documentation
No ratings yet
Goods Service Tax (GST) For Super Market Project Documentation
55 pages
Lab Assignments - 03 DS - 240919 - 215212
No ratings yet
Lab Assignments - 03 DS - 240919 - 215212
10 pages
Introduction To Database Chap - 1
No ratings yet
Introduction To Database Chap - 1
34 pages
Chapter2 P2
No ratings yet
Chapter2 P2
39 pages
SPI 2304 Mobile Application Development Year III Semester I
No ratings yet
SPI 2304 Mobile Application Development Year III Semester I
4 pages
04-The Conversion API
No ratings yet
04-The Conversion API
6 pages
Project Quantity Sheet (PQS) Guidance Document
No ratings yet
Project Quantity Sheet (PQS) Guidance Document
28 pages
Assignment SystemCall Hk251
No ratings yet
Assignment SystemCall Hk251
21 pages
Assembly Code Example: Selection Sort
No ratings yet
Assembly Code Example: Selection Sort
12 pages
IOS - Naming Convention
No ratings yet
IOS - Naming Convention
27 pages
Moodle Pros and Cons
No ratings yet
Moodle Pros and Cons
2 pages
PLUS+1 Connect User Guide
No ratings yet
PLUS+1 Connect User Guide
57 pages
Introductory Lecture
No ratings yet
Introductory Lecture
30 pages
TM04 Producing Basic Server-Side Scrip For Dynamic Web Page
100% (1)
TM04 Producing Basic Server-Side Scrip For Dynamic Web Page
90 pages
Nested Tables in Adobe Forms
No ratings yet
Nested Tables in Adobe Forms
18 pages
Source Code
No ratings yet
Source Code
6 pages
Xamarin Forms
No ratings yet
Xamarin Forms
34 pages
pe2 systemdesignlinux
No ratings yet
pe2 systemdesignlinux
2 pages