Hi,

We are using WebGrid version 6.0.7200.220, Intersoft framework version 3.0.5000.771.
An external penetration test found the following issue, which we need to fix.

XML Content injection
Requests to return ***** data via XML are not handled properly by the application. It is possible for an attacker to create a Cross-Site Scripting style request which modifies the content which a user receives in the response from the application.
The more serious possibility of Cross-Site Scripting could not be achieved during testing, chiefly due to the input-filtering of the .NET framework, making this a low risk issue.

Detailed description and Rationale
An AJAX request from the page at the URL *********.aspx back to itself requests XML which is parsed by the client-side javascript and then rendered to the page. It is the arguments in this request which can be modified to include XML which is returned in the response. The data must be double URL encoded to make it through to the response, however this is no problem for an attacker. XSS was not achieved during testing, however this may be due only to the built-in protection mechanisms of the .NET framework, which is a public target for attackers to devise methods for circumventing, and therefore not a mechanism that the application should rely on for security if possible.

Recommended Countermeasures
Alter the application code that handles the AJAX request to correctly sanitise all inputs of invalid characters and data before returning it to the user's browser.

After asking for more detailed information I got this:

XML injection
The page at *********.aspx accepts user input that is echoed back in the page response, although cross-site scripting was not possible. The fix is to include some server side logic that parses all user controllable input and rejects any unexpected values.

I have no additional information, so I cannot even say which part is responsible. We do not use XML post data in our application, therefore this can only be caused by either of the two controls we are using. One of them is WebGrid.

As you see, we need a confirmation that WebGrid does "correctly sanitise all inputs", maybe even in written form. We cannot verify this ourself easily without full source code. So can you confirm this for the used WebGrid version? If no, can you confirm that for any later version? If no version supports this yet, can you guarantee that this will be fixed in any future version and guarantee a release date until this will get fixed?

So what we need would be a confirmation that your control is XSS safe. You might need to consult your management and development departments for a thorough answer.

Thanks,
Eric