+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: Firefox cross-site scripting issue (/thread-2034.html)
Pages:
1
2
RE: Firefox cross-site scripting issue - joelcc - 10-27-2020
After blocking the above issue I had another finding and decided to block the <xss tag with
if (ContainsText(AParam, '<xss')) then
AllowIt := False;
Doing this stops the following:
https://somesite.com/providers/IsProviderConnection.dll//$/callback?callback=whs%22%3E%3Cxss%20onmousemove%3d%22alert``%22%3etest%3c%2fxss%3e
I guess it should be added to the list of things to block by default so I am posting it here?
RE: Firefox cross-site scripting issue - joelcc - 11-11-2020
I am adding to this thread so everyone has the final update.
Since there is a large list of the cross site scripting (see https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) that "according to the testing company" can be used against a website through parameters, I ended up blocking all of the parameters by the servercontroller->OnParseParameter. I then wrote code to handle the params that I did want to allow.
This passed the security audit checks so I am moving on.