05-24-2020, 09:17 PM
(This post was last modified: 05-24-2020, 09:23 PM by Alexandre Machado.)
There are plenty of new things in IW 15 which can prevent/mitigate XSS attacks.
First, I'm not sure if they understand where Session ID comes from. A random Session ID can't be used.
Second, in IW 15, you can turn on another security feature which is called "Form ID", i.e. each form instance requires an specific Form ID (a 160-bit field) to be able to respond to events (which also can't be obtained through guessing).
Third, malicious code will be blocked right away when injected into some parameter. IntraWeb will check each parameter before using it.
do you have any specific finding described in detail? If so, you can send it to me via e-mail (alexandre at atozed dot com)
First, I'm not sure if they understand where Session ID comes from. A random Session ID can't be used.
Second, in IW 15, you can turn on another security feature which is called "Form ID", i.e. each form instance requires an specific Form ID (a 160-bit field) to be able to respond to events (which also can't be obtained through guessing).
Third, malicious code will be blocked right away when injected into some parameter. IntraWeb will check each parameter before using it.
do you have any specific finding described in detail? If so, you can send it to me via e-mail (alexandre at atozed dot com)