• 1 reply
  • Latest Post - ‏2014-07-15T18:56:07Z by warrenm1
1 Post

Pinned topic Cross-Site scripting issue - false positive?

‏2014-07-09T09:04:24Z |


I am running the AppScan Standard version, and getting the below security issue on a WebGUI console. The text in yellow is being highlighted as a possible issue in the test response.
Cross-Site Scripting
Severity: High
Entity: newObjPopup (Parameter) 
Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Raw Test Response:

HTTP/1.1 200 OK
X-DataPower-Server-Parsed: true
Content-type: text/html
Via: 1.0 web-mgmt
Warning: 214 web-mgmt DataPower Transformation Applied
Connection: Keep-Alive
Date: Thu, 03 Jul 2014 05:39:05 GMT
Transfer-Encoding: chunked
x-ua-compatible: IE=8
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">


The test result seems to indicate a vulnerability because Appscan successfully embedded a utf-7 encoded script in the response.

However, I manually embedded the UTF-7 script that AppScan embedded, but the script does not execute because our content is defined as UTF-8. 

I was using Firefox 3.6/IE 8, and set the Character Encoding as "Auto-Detect" on the browsers. What I observed is that the browsers didn't treat the embedded text as UTF-7 encoding, so the attack didn't work on them.

Would you please check if this issue is a false positive? 

Many thanks.

Updated on 2014-07-09T09:08:24Z at 2014-07-09T09:08:24Z by LindseyCheng
  • warrenm1
    224 Posts

    Re: Cross-Site scripting issue - false positive?


    It might be a false positive, but without a lot more analysis on how the application works I wouldn't call it definitive.  There could be similar/slightly modified attack vectors that could succeed.  It's probably best if you open a pmr with IBM support so they can do some further analysis.