Cross site scripting (Detected on Acunetix scan)

Posted: December 10, 2018 at 3:15 PM Quote #217084
We are looking to adopt NopCommerce and completed an Acunetix security scan which flagged the following (repetitive) issue:


Alert group Cross site scripting

Severity High

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can
execute malicious scripts into a legitimate website or web application. XSS occurs when a web
application makes use of unvalidated or unencoded user input within the output it generates.

Recommendations Apply context-dependent encoding and/or validation to user input rendered on a page

Alert variants

Details URI was set to "onmouseover='12Ar(9083)'bad="
The input is reflected inside a tag parameter between double quotes.

GET /100-physical-gift-card?"onmouseover='12Ar(9083)'bad=" HTTP/1.1
Connection: keep-alive
Cookie: .Nop.Customer=21cce335-8177-4166-8b61-
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21

Is this a known issue and will it be resolved in an upcoming release?
This post/answer is useful
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: April 22, 2019 at 7:27 AM Quote #228903
Thanks a lot for reporting. Fixed. Could you please test the fix and confirm that it works good now?
This post/answer is useful
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Interested in the dedicated Premium support services provided by core developers? Please visit

Andrei Mazulnitsyn
Posted: June 26, 2019 at 5:09 AM Quote #240735
I have the same issue reported from PEN test

It was identified that the application was vulnerable to Reflective Cross-Site Scripting.
During testing, it was identified that it was possible to append arbitrary parameters to the HTTP request URLs and the server returned the full URL in the response without any encoding. By injecting scripts as the arbitrary parameter appended to the request, it was possible to have the script returned in the response and have it executed by the browser.
It is to be noted that, for the attack to be effective, the victim browser must not URL-encode the request. As most modern browsers do automatically encode the URL, this limits the potential victims to only those users who use old browsers (e.g. Internet Explorer 8) to visit the application, with Cross-Site Scripting protection disabled.

I have applied the fix from the above post but when running an IE8 browser (emulation) with XSS off, it doesn't encode the url querystring
This post/answer is useful
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Premium support services
  • Dedicated premium support services provided by core developers are intended for persons who run mission critical websites, work on projects with tight deadlines, or want to get dedicated support.
Professional services
  • Want to open a new store? Want to take your store to the next level? Need a custom extension? We can customize nopCommerce to fit your store perfectly. Request a quote to get started.
eCommerce CONFERENCE 2019
Learn more