We have a third party company that is reviewing our websites.
They have reported some security issues that they are requiring us to address.
---------------------
Here is their description of the problem: Cross Site Scripting
The "callback", "ajaxevent" and "ArowId" parameters found on https://site.somewhere.com/iw/Isiw.dll//$/callback can be modified to include executable JavaScript.
Note: The request requires a valid 'IW_SessionID' value that can be obtained by going to the application (no authentication required)
----------------------------
It sounds to me that they think a user can grab a session_id from the site and then use it to do an ajax callback with some malicious code.
Do you have How do I mitigate this risk?
We are currently using iw 14. Are there some changes in iw15 that would help?
(05-20-2020, 05:16 PM)joelcc Wrote: [ -> ]We have a third party company that is reviewing our websites.
They have reported some security issues that they are requiring us to address.
---------------------
Here is their description of the problem: Cross Site Scripting
The "callback", "ajaxevent" and "ArowId" parameters found on https://site.somewhere.com/iw/Isiw.dll//$/callback can be modified to include executable JavaScript.
Note: The request requires a valid 'IW_SessionID' value that can be obtained by going to the application (no authentication required)
----------------------------
It sounds to me that they think a user can grab a session_id from the site and then use it to do an ajax callback with some malicious code.
Do you have How do I mitigate this risk?
We are currently using iw 14. Are there some changes in iw15 that would help?
Here is 2014 blog from Chad:
https://www.atozed.com/2014/01/20140331c-en
which says that there are several things that are checked.
Does anyone else have any other kind of thoughts on this?
Ive asked Alexandre to follow up on this as this is his area. That blog was by him too, I think it has me as author because of website migration.
There are plenty of new things in IW 15 which can prevent/mitigate XSS attacks.
First, I'm not sure if they understand where Session ID comes from. A random Session ID can't be used.
Second, in IW 15, you can turn on another security feature which is called "Form ID", i.e. each form instance requires an specific Form ID (a 160-bit field) to be able to respond to events (which also can't be obtained through guessing).
Third, malicious code will be blocked right away when injected into some parameter. IntraWeb will check each parameter before using it.
do you have any specific finding described in detail? If so, you can send it to me via e-mail (alexandre at atozed dot com)
(05-24-2020, 09:17 PM)Alexandre Machado Wrote: [ -> ]There are plenty of new things in IW 15 which can prevent/mitigate XSS attacks.
First, I'm not sure if they understand where Session ID comes from. A random Session ID can't be used.
Second, in IW 15, you can turn on another security feature which is called "Form ID", i.e. each form instance requires an specific Form ID (a 160-bit field) to be able to respond to events (which also can't be obtained through guessing).
Third, malicious code will be blocked right away when injected into some parameter. IntraWeb will check each parameter before using it.
do you have any specific finding described in detail? If so, you can send it to me via e-mail (alexandre at atozed dot com)
I am sure that this testing company does not understand the Session Id and how it works. I am also sure that they are running some generic scripts and not really understanding what they are looking at. But, it still means I have to "show" them how they are actually pointing out "non-issue".
It is a holiday here today so I will try to follow up with them later in the week and see if they can give specifics. At the same time I will try to move the company toward iw15 since turning on the form id would probably help.
(05-25-2020, 06:29 PM)joel Wrote: [ -> ] (05-24-2020, 09:17 PM)Alexandre Machado Wrote: [ -> ]There are plenty of new things in IW 15 which can prevent/mitigate XSS attacks.
First, I'm not sure if they understand where Session ID comes from. A random Session ID can't be used.
Second, in IW 15, you can turn on another security feature which is called "Form ID", i.e. each form instance requires an specific Form ID (a 160-bit field) to be able to respond to events (which also can't be obtained through guessing).
Third, malicious code will be blocked right away when injected into some parameter. IntraWeb will check each parameter before using it.
do you have any specific finding described in detail? If so, you can send it to me via e-mail (alexandre at atozed dot com)
I am sure that this testing company does not understand the Session Id and how it works. I am also sure that they are running some generic scripts and not really understanding what they are looking at. But, it still means I have to "show" them how they are actually pointing out "non-issue".
It is a holiday here today so I will try to follow up with them later in the week and see if they can give specifics. At the same time I will try to move the company toward iw15 since turning on the form id would probably help.
Alexandre,
I sent you an email with the specific finding details.
Hi Joel,
We will also include this in our checks and release a new update.
However, you can already protect your application using your current IW version. You just need to add some code to the OnParseParameter event in ServerController.
I think this will do the trick:
Code:
uses
StrUtils;
procedure TIWServerController.IWServerControllerBaseParseParameter(
var AParam: string; var AllowIt: Boolean; const Index: Integer);
begin
if ContainsText(AParam, '<svg') then
AllowIt := False;
end;
(06-09-2020, 10:56 PM)Alexandre Machado Wrote: [ -> ]Hi Joel,
We will also include this in our checks and release a new update.
However, you can already protect your application using your current IW version. You just need to add some code to the OnParseParameter event in ServerController.
I think this will do the trick:
Code:
uses
StrUtils;
procedure TIWServerController.IWServerControllerBaseParseParameter(
var AParam: string; var AllowIt: Boolean; const Index: Integer);
begin
if ContainsText(AParam, '<svg') then
AllowIt := False;
end;
That should satisfy their testing.
Thank you.