05-21-2020, 08:19 PM
(05-20-2020, 05:16 PM)joelcc Wrote: We have a third party company that is reviewing our websites.
They have reported some security issues that they are requiring us to address.
---------------------
Here is their description of the problem: Cross Site Scripting
The "callback", "ajaxevent" and "ArowId" parameters found on https://site.somewhere.com/iw/Isiw.dll//$/callback can be modified to include executable JavaScript.
Note: The request requires a valid 'IW_SessionID' value that can be obtained by going to the application (no authentication required)
----------------------------
It sounds to me that they think a user can grab a session_id from the site and then use it to do an ajax callback with some malicious code.
Do you have How do I mitigate this risk?
We are currently using iw 14. Are there some changes in iw15 that would help?
Here is 2014 blog from Chad: https://www.atozed.com/2014/01/20140331c-en
which says that there are several things that are checked.
Does anyone else have any other kind of thoughts on this?