XSS Vulnerability IW 15.2.23

[davidmcevoy@outlook.com]

Hello.  

I have recently had a security scan done on a site I am working on and it is reported that JavaScript can be injected into the page (XSS) as shown below.  I am using IW 15.2.23 at the moment and wonder if there is something I can do to prevent it.

URL:  https://dummydomain.com/

Method: POST

Parameter: IW_SessionID_

Attack: '"<scrIpt>alert(1);</scRipt>

Evidence: '"<scrIpt>alert(1);</scRipt>



URL: https://dummydomain.com/$/callback?c...syncChange

Method: POST

Parameter: IW_SessionID_

Attack: '"<scrIpt>alert(1);</scRipt>
Evidence: '"<scrIpt>alert(1);</scRipt>


Not entirely sure how to test for this on the local SA application so that I can check it has been fixed.

Any advise would be appreciated. XSS is not something I have much experience with.

David.

[davidmcevoy@outlook.com]

Anyone offer any advise please?

I should add I have now downloaded ZAP to test and struggling with it a bit.  I created a fresh basic IW app and did an initial scan and it comes back clean, but a second scan shows the XSS java attack.  Playing around with cookie options in various configurations does seem  to alter the results but inconsistently and I am confused.  Is there a better tool to use that works on SA and localhost?

I have tried latest build out of the box and not had any XSS reported but as I said above, my ZAP results seem inconsistent so not entirely sure if the latest build has fixed this or not.  has there been any changes from 15.2.23 that may have fixed it?  I looked and never noticed anything but I may have missed it.

Ultimately will move to latest build soon anyway.  Can I just simply upgrade IW then rebuild or do I need to do anything else such as opening up and resaving forms etc?

Cheers.

[joelcc]

When we went through our SOC II we did the following.
Set these settings.
1. CheckFormId = true
2. CheckSameUA = true
3. CookieHttpOnly = true
4. CookieSecure = true
5. SessionCookies = true
6. UniqueURL = true
7. UseCookies = true

---

I think what you are really looking for is something like this on the servercontroller for parsing the parameters.

procedure TController.IWServerControllerBaseParseParameter(var AParam: string;
var AllowIt: Boolean; const Index: Integer);
var
n : integer;
begin

//We are going to stop all parameters unless we need to check for a certain param
//https://www.atozed.com/forums/thread-1681.html
if CCAppParams.ApplicationParams.URLStartParams.URLStartParamAllowList <> '' then
begin
Paramcriticalsection.Acquire;
try
for n := 0 to ParamStringList.count-1 do
begin
if (Copy(uppercase(AParam),1,POS('=',uppercase(AParam))-1) = uppercase(ParamStringList[n])) then
begin
AllowIt := True;
exit;
end else
begin
AllowIt := False;
end;
end;
finally
Paramcriticalsection.release;
end;
end else
begin
AllowIt := False;
exit;
end;

// if ContainsText(AParam, '<svg') then
// AllowIt := False;
//
////This fixes an issue with a cross scripting possibility in versions at or prior to 5.2.18 and only with firefox
////https://www.atozed.com/forums/thread-2034.html
// if ContainsText(AParam, 'onbeforescriptexecute') then
// AllowIt := False;

if ((ContainsText(AParam, 'onbeforescriptexecute')) or
(ContainsText(AParam, 'onafterscriptexecute'))) then
AllowIt := False;


end;