iSeller Commerce
iSeller POS Retail
iSeller POS F&B
iSeller POS Express
Crosslight
WebUI
ClientUI
What's New
Download Trial
Web Solution
Mobile Solution
Enterprise Solution
Custom Development
Blog
Community
Latest Development Blogs
ForumPostTopic
Browse By Tag
Hi,We are using WebGrid version 6.0.7200.220, Intersoft framework version 3.0.5000.771.An external penetration test found the following issue, which we need to fix.
XML Content injectionRequests to return ***** data via XML are not handled properly by the application. It is possible for an attacker to create a Cross-Site Scripting style request which modifies the content which a user receives in the response from the application.The more serious possibility of Cross-Site Scripting could not be achieved during testing, chiefly due to the input-filtering of the .NET framework, making this a low risk issue.Detailed description and RationaleAn AJAX request from the page at the URL *********.aspx back to itself requests XML which is parsed by the client-side javascript and then rendered to the page. It is the arguments in this request which can be modified to include XML which is returned in the response. The data must be double URL encoded to make it through to the response, however this is no problem for an attacker. XSS was not achieved during testing, however this may be due only to the built-in protection mechanisms of the .NET framework, which is a public target for attackers to devise methods for circumventing, and therefore not a mechanism that the application should rely on for security if possible.Recommended CountermeasuresAlter the application code that handles the AJAX request to correctly sanitise all inputs of invalid characters and data before returning it to the user's browser.
XML injectionThe page at *********.aspx accepts user input that is echoed back in the page response, although cross-site scripting was not possible. The fix is to include some server side logic that parses all user controllable input and rejects any unexpected values.
Hi Eric,
Thank you for your patience. The upcoming WebGrid will eliminate the XSS completely. You can see the following details in our roadmap.
Regards,Handy
Hello Eric,
Ok, please give us a little time to consult with our developer teams.
Hi Handy,
Your answer sounds a little funny, but the roadmap attachment fully answers my question.
From what is said there: Next release of WebUI Studio 2011 R2 / WebUI Studio for ASP.NET includes WebGrid Enterprise 8 and will come out this month and has "improved security by eliminating XSS exploit through the use of JSON as the control data format".
Let me know if I misunderstood anything.
Thanks,
Eric
Yes, That is correct. However, you would need understand if you need to upgrade to our WebGrid 8 in order to have this feature. Remember that we already discontinued to support WebGrid 6.
Hello,
I just want to update the information. Even though WebGrid 8 is not included in this released but we have enhanced the security to eliminate XSS by using JSOn. To use this feature, simply put ContolDataTransferFormat to JSon.
or
Choose this if you're already a member of Intersoft Community Forum. You can link your OpenID account to your existing Intersoft Social ID.
Choose this if you don't have an Intersoft account yet. Your authenticated OpenID will be automatically linked to your new Intersoft account.
Enter your Wordpress Blogname