Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Reported security issue vulnerabilty
#6
(05-25-2020, 06:29 PM)joel Wrote:
(05-24-2020, 09:17 PM)Alexandre Machado Wrote: There are plenty of new things in IW 15 which can prevent/mitigate XSS attacks.

First, I'm not sure if they understand where Session ID comes from. A random Session ID can't be used.

Second, in IW 15, you can turn on another security feature which is called "Form ID", i.e. each form instance requires an specific Form ID (a 160-bit field) to be able to respond to events (which also can't be obtained through guessing).

Third, malicious code will be blocked right away when injected into some parameter. IntraWeb will check each parameter before using it.

do you have any specific finding described in detail? If so, you can send it to me via e-mail (alexandre at atozed dot com)

I am sure that this testing company does not understand the Session Id and how it works.  I am also sure that they are running some generic scripts and not really understanding what they are looking at.  But, it still means I have to "show" them how they are actually pointing out "non-issue".

It is a holiday here today so I will try to follow up with them later in the week and see if they can give specifics.   At the same time I will try to move the company toward iw15 since turning on the form id would probably help.

Alexandre,

I sent you an email with the specific finding details.
Reply


Messages In This Thread
Reported security issue vulnerabilty - by joelcc - 05-20-2020, 05:16 PM
RE: Reported security issue vulnerabilty - by joelcc - 06-09-2020, 06:13 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)