http://www.intersoftsolutions.com/Community/WebGrid/Need-confirmation-for-WebGrid-to-be-XSS-safe/http://www.intersoftsolutions.comenCopyright 2002 - 2015 Intersoft Solutions Corp. All rights reserved.60http://www.intersoftsolutions.com/Community/WebGrid/Need-confirmation-for-WebGrid-to-be-XSS-safe/Wed, 30 Nov 2011 02:44:21 GMThandy@intersoftpt.comWebGridXSScross-site scriptingpenetration testpentestpen-test<p>Hello,</p><p>I just want to update the information. Even though WebGrid 8 is not included in this released but we have enhanced the security to eliminate XSS by using JSOn. To use this feature, simply put <span style="color: rgb(63, 63, 63); font-family: 'segoe ui', arial, verdana, tahoma; font-size: 12px; line-height: 18px; background-color: rgb(255, 255, 255); ">ContolDataTransferFormat to JSon.</span></p> <p><font class="Apple-style-span" style="color: rgb(63, 63, 63); font-family: 'segoe ui', arial, verdana, tahoma; "><span style="font-size: 12px; line-height: 18px; ">Regards,<br />Handy</span></font></p>http://www.intersoftsolutions.com/Community/WebGrid/Need-confirmation-for-WebGrid-to-be-XSS-safe/Tue, 13 Sep 2011 00:40:14 GMThandy@intersoftpt.comWebGridXSScross-site scriptingpenetration testpentestpen-test<p>Hi Eric,</p><p>Yes, That is correct. However, you would need understand if you need to upgrade to our WebGrid 8 in order to have this feature. Remember that we already discontinued to support WebGrid 6.</p> <p>Regards,<br />Handy</p>http://www.intersoftsolutions.com/Community/WebGrid/Need-confirmation-for-WebGrid-to-be-XSS-safe/Mon, 12 Sep 2011 06:29:00 GMTEricWebGridXSScross-site scriptingpenetration testpentestpen-test<p>Hi Handy,</p><p>Your answer sounds a little funny, but the roadmap attachment fully answers my question.</p> <p>From what is said there: Next release of WebUI Studio 2011 R2 / WebUI Studio for ASP.NET includes WebGrid Enterprise 8 and will come out this month and has "improved security by eliminating XSS exploit through the use of JSON as the control data format".</p> <p>Let me know if I misunderstood anything.<br /></p> <p>Thanks,</p> <p>Eric</p>http://www.intersoftsolutions.com/Community/WebGrid/Need-confirmation-for-WebGrid-to-be-XSS-safe/Sun, 11 Sep 2011 23:20:01 GMThandy@intersoftpt.comWebGridXSScross-site scriptingpenetration testpentestpen-test<p /><p>Hi Eric,</p> <p>Thank you for your patience. The upcoming WebGrid will eliminate the XSS completely. You can see the following details in our roadmap. </p> <p>Regards,<br />Handy</p> <p />http://www.intersoftsolutions.com/Community/WebGrid/Need-confirmation-for-WebGrid-to-be-XSS-safe/Fri, 09 Sep 2011 04:05:12 GMThandy@intersoftpt.comWebGridXSScross-site scriptingpenetration testpentestpen-test<p>Hello Eric,</p><p>Ok, please give us a little time to consult with our developer teams.</p> <p>Regards,<br />Handy</p>http://www.intersoftsolutions.com/Community/WebGrid/Need-confirmation-for-WebGrid-to-be-XSS-safe/Thu, 08 Sep 2011 06:20:10 GMTEricWebGridXSScross-site scriptingpenetration testpentestpen-test<p>Hi,<br /><br />We are using WebGrid version 6.0.7200.220, Intersoft framework version 3.0.5000.771.<br />An external penetration test found the following issue, which we need to fix.<br /></p><br /><blockquote style="padding-left: 10px; margin: 0px 0px 0px 5px; border-left: 1px solid rgb(204, 204, 204);"><strong>XML Content injection</strong><br />Requests to return ***** data via XML are not handled properly by the application. It is possible for an attacker to create a Cross-Site Scripting style request which modifies the content which a user receives in the response from the application.<br />The more serious possibility of Cross-Site Scripting could not be achieved during testing, chiefly due to the input-filtering of the .NET framework, making this a low risk issue.<br /><br /><strong>Detailed description and Rationale</strong><br />An AJAX request from the page at the URL *********.aspx back to itself requests XML which is parsed by the client-side javascript and then rendered to the page. It is the arguments in this request which can be modified to include XML which is returned in the response. The data must be double URL encoded to make it through to the response, however this is no problem for an attacker. XSS was not achieved during testing, however this may be due only to the built-in protection mechanisms of the .NET framework, which is a public target for attackers to devise methods for circumventing, and therefore not a mechanism that the application should rely on for security if possible.<br /><br /><strong>Recommended Countermeasures</strong><br />Alter the application code that handles the AJAX request to correctly sanitise all inputs of invalid characters and data before returning it to the user's browser.<br /></blockquote><br />After asking for more detailed information I got this:<br /><br /><blockquote style="padding-left: 10px; margin: 0px 0px 0px 5px; border-left: 1px solid rgb(204, 204, 204);"><strong>XML injection</strong><br />The page at *********.aspx accepts user input that is echoed back in the page response, although cross-site scripting was not possible. The fix is to include some server side logic that parses all user controllable input and rejects any unexpected values.<br /></blockquote><br />I have no additional information, so I cannot even say which part is responsible. We do not use XML post data in our application, therefore this can only be caused by either of the two controls we are using. One of them is WebGrid.<br /><br />As you see, we need a confirmation that WebGrid does <em>"correctly sanitise all inputs"</em>, maybe even in written form. We cannot verify this ourself easily without full source code. So can you confirm this for the used WebGrid version? If no, can you confirm that for any later version? If no version supports this yet, can you guarantee that this will be fixed in any future version and guarantee a release date until this will get fixed?<br /><br />So what we need would be a confirmation that your control is XSS safe. You might need to consult your management and development departments for a thorough answer.<br /><br />Thanks,<br />Eric<br /><br />