XSS vulnerability - manually edited URL

XSS vulnerability - manually edited URL

  

Hi,

  I have a query around Cross Site Scripting vulnerability highlighted recently where a URL of a web application is vulnerable to multiple reflected XSS attacks.

An example of the url is as follows

https://<domain>/<application>/?__AJAX=<svg/onload=alert(document.domain)>

The URL has been manually edited to include the __AJAX statement, overriding any parameters that might exist

On older browsers this will result in an Alert displaying the domain name (screen shot attached which has been edited).

Looking a XSS material on the OutSystems site we are recommended to use the Encode functions available on the platform, validate input etc, much of which we already do.

However in this instance, I am struggling to see how we can use these functions here, or how else we can catch and validate this input effectively.

Any suggestions or advice would be greatly appreciated.

We are on version 9.1.501 using the Java Stack in the Cloud.

Note:  some of the modern browsers identify potential XSS attacks and amend the URL – we recreated this on Firefox which doesn’t

Thanks

Neil


Solution

Hello Neil,

That XSS vulnerability has been fixed in 9.1.605.0.

"It was possible to perform JavaScript injection in platform web screens in some scenarios  (#1520939)"

I suggest you to update your platform to the latest 9.1 revision patch to benefit from that fix and all others we've released.

In that scenario the error stack should also not be displayed. I'll report this internally in order to be fixed in a future revision patch.

Thank you,

Best Regards,

Solution

Filipe Rodrigues wrote:

Hello Neil,

That XSS vulnerability has been fixed in 9.1.605.0.

"It was possible to perform JavaScript injection in platform web screens in some scenarios  (#1520939)"

I suggest you to update your platform to the latest 9.1 revision patch to benefit from that fix and all others we've released.

In that scenario the error stack should also not be displayed. I'll report this internally in order to be fixed in a future revision patch.

Thank you,

Best Regards,

Hi Filipe, thank you for the quick response. your help is appreciated.

I did wonder if later upgrades would resolve this issue, but hadn't looked at the release notes as yet. We are looking at an overall upgrade at some point in the near future, so it should be resolved then.

best regards

Neil



Hi Neil,


For XSS vulnerabilities please check the following document:

https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/How_OutSystems_Platform_helps_you_develop_secure_applications


And in particular:

Protecting OutSystems apps from code injection / Cross Site Scripting attacks


Cross Site Scripting (XSS) occurs when there is an attempt of sending untrusted data into the web browser (renderer), there is not one way/setting to prevent this, this is something that your application must prevent all over.

Hi everybody.

This is my problem.

We are on version 10.0.105.0 using the Java Stack in the Cloud.

We find the same error of Neil.

How can we solve it?




Hello Joseph,

The same fix has been released in 10.0.405.0, so if you upgrade your platform to the latest 10.0 revision patch you will benefit from that fix and all others we've released.

If you ever have a similar question, you can check the Platform Server Release Notes and check if the ID, in this case "#1520939", is listed there.

You can find the Release Notes here.

Best Regards

Thank you for responding Filipe.

Regards,


.