Reflected Cross-Site scripting (XSS)

[kudzu]

Hi,
1) a third party company that is reviewing a websites we developed reported some security issues that they are requiring us to address. One of this security issue is the problem described:
if the IW application can be reached on "http://127.0.0.1:88/$/", if we put the URL "http://127.0.0.1:88/" followed by the string "StartCheck?<svg/onload=alert(1)>" (http://127.0.0.1:88/$/StartCheck?<svg/onload=alert(1)>) a pop-up appear. This means that an user can put HTML/javascript code in the URL and execute this code. They have identified this problem as Reflected Cross-site Scripting (XSS).

2) I'm saying that in our IW application an alert can be run, I don't know if can be run in other IW application.

Without seeing your application it sounds like the hole is likely in your code, not IW and that patching it where you are patching it is not really addressing the situation because its in a parameter.

Can you try the same thing with a simple demo like GuessSA? If Guess doesnt do it, then its likely your code passing that parameter somewhere unchecked, and that would be the better place to fix it - at the source of the issue rather than elsewhere.