Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
1 reply Latest Post - ‏2014-07-15T18:56:07Z by warrenm1
LindseyCheng
LindseyCheng
1 Post
ACCEPTED ANSWER

Pinned topic Cross-Site scripting issue - false positive?

‏2014-07-09T09:04:24Z |

Hi,

I am running the AppScan Standard 8.8.0.0 version, and getting the below security issue on a WebGUI console. The text in yellow is being highlighted as a possible issue in the test response.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Cross-Site Scripting
Severity: High
Entity: newObjPopup (Parameter) 
Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Raw Test Response:

HTTP/1.1 200 OK
X-DataPower-Server-Parsed: true
Server: 
Content-type: text/html
Via: 1.0 web-mgmt
Warning: 214 web-mgmt DataPower Transformation Applied
Connection: Keep-Alive
Date: Thu, 03 Jul 2014 05:39:05 GMT
Transfer-Encoding: chunked
x-ua-compatible: IE=8
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...
...
                                
                                skipNav=
                                true
                                newObjPopup=
                                true>+ACJ-+AD4APB-SCRIPT/TYPE=TEXT/VBSCRIPT+AD7-MSGBOX(123)+AA0APB-/SCRIPT+AD7-
                                newObjPopupInput=
                                input_UniversalPacketCaptureDebug.VLANInterface
                                editObjPopup=

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

The test result seems to indicate a vulnerability because Appscan successfully embedded a utf-7 encoded script in the response.

However, I manually embedded the UTF-7 script that AppScan embedded, but the script does not execute because our content is defined as UTF-8. 

I was using Firefox 3.6/IE 8, and set the Character Encoding as "Auto-Detect" on the browsers. What I observed is that the browsers didn't treat the embedded text as UTF-7 encoding, so the attack didn't work on them.

Would you please check if this issue is a false positive? 

Many thanks.

Updated on 2014-07-09T09:08:24Z at 2014-07-09T09:08:24Z by LindseyCheng
  • warrenm1
    warrenm1
    224 Posts
    ACCEPTED ANSWER

    Re: Cross-Site scripting issue - false positive?

    ‏2014-07-15T18:56:07Z  in response to LindseyCheng

    It might be a false positive, but without a lot more analysis on how the application works I wouldn't call it definitive.  There could be similar/slightly modified attack vectors that could succeed.  It's probably best if you open a pmr with IBM support so they can do some further analysis.

     

    Regards,