Cross site scripting (Detected on Acunetix scan)

Posted: December 10, 2018 at 3:15 PM Quote #217084
We are looking to adopt NopCommerce and completed an Acunetix security scan which flagged the following (repetitive) issue:

/100-physical-gift-card

Alert group Cross site scripting

Severity High

Description
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can
execute malicious scripts into a legitimate website or web application. XSS occurs when a web
application makes use of unvalidated or unencoded user input within the output it generates.

Recommendations Apply context-dependent encoding and/or validation to user input rendered on a page

Alert variants

Details URI was set to "onmouseover='12Ar(9083)'bad="
The input is reflected inside a tag parameter between double quotes.

GET /100-physical-gift-card?"onmouseover='12Ar(9083)'bad=" HTTP/1.1
Referer: http://demostore.directfocus.com/
Connection: keep-alive
Cookie: .Nop.Customer=21cce335-8177-4166-8b61-
1cc3fb2cbf59;.Nop.TempData=CfDJ8IZb31yzv8RPiDxnHqhSBYU41YbLQ2pkZDkhaqr5i2u5eWy4lL2ZKPllUnWH0
_TFo7EBK8a7-
IcaOdZzT9ky6nOG1f9kxLnq_OXGHun7qezLE6f2I1QBm0GFVoZfEBo_coKW3uIjo_3808r03TmVU_nlOMPF3f5jNMtCX
_fNao7dBYkLF4yXSni1PuSv5utfH1Tr8FL4wJHZYur178f9JYAV0azLPVXkBUNiFDA92nITenqB7kMvcb5RSEzC5UncD
u9jK8CdFK8EDRblDrpu24RJ-av_H8VqXBL1h6jMar_;.
Nop.Antiforgery=CfDJ8IZb31yzv8RPiDxnHqhSBYUMgrouQov4KitH05Ve6hZn3lNFdAZb0JKiVSwa2BhzVd4W
HU1lWP4Fye43urEiRYClDz3Xn0IlE3i2vAZXZ-_FETFeHTh_cGIWpaDld-KMGhChhxAaUA0flXMwURkfWI;.
Nop.ComparedProducts=;.Nop.RecentlyViewedProducts=45%2C9%2C27;.Nop.Authentication=C
fDJ8IZb31yzv8RPiDxnHqhSBYV6zlRZBNRTI3gjuuCje1tJoR2ffChXcnSJHeHddbAkio--
g5EawoeCMzVQot8U7FEBO899SOfUQ8Q16Ug2oLM5DaJWFMwcCP9kk0N_PfIsm3QASjDPL2PtAOerXl3nYHymxF62FfXF
8iRu84FUy4L2YLCDBoGZVooTMJtvrlFUYZjw1Yl52YHsX9O90NuAsQHST4x41tDrboyiw369jnj37HxB1uupdW8Y6soPciO1mUs-
mxh_OBe5GQtpsqJauqhC7UAttAjZCz9m-
xlsl9gvuVlOJgWHr_GUInWbFuqW-st0B12HMCu_bycKozheFbr51fPDmjOGhnj-
WY5KutOAFwWt4qMZ1NA2A16YxlOWm-8g43g1za7UGYh4w9cbSKoZFhtftvdz3K62H32mfJ9oO8olfz9yYAXt9jyt-
Bvoi2hPNQpkIZy8U4bM5tSIRIjnLvs3MoedbwZ9a8BcvnA2ho_sgmZArhfE6WOnopNxbHvGYPRrn3819mZhs-
ZQw7HJjai07VeXJylqrrzvjBCitwEt97_w2I5taEp6Jayw
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
Host: demostore.directfocus.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21

Is this a known issue and will it be resolved in an upcoming release?
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: April 22, 2019 at 7:27 AM Quote #228903
Thanks a lot for reporting. Fixed. Could you please test the fix and confirm that it works good now?
This post/answer is useful
1
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Interested in the dedicated Premium support services provided by core developers? Please visit http://www.nopcommerce.com/supportservices.aspx

Regards,
Andrei Mazulnitsyn
Posted: June 26, 2019 at 5:09 AM Quote #240735
I have the same issue reported from PEN test

It was identified that the application was vulnerable to Reflective Cross-Site Scripting.
During testing, it was identified that it was possible to append arbitrary parameters to the HTTP request URLs and the server returned the full URL in the response without any encoding. By injecting scripts as the arbitrary parameter appended to the request, it was possible to have the script returned in the response and have it executed by the browser.
It is to be noted that, for the attack to be effective, the victim browser must not URL-encode the request. As most modern browsers do automatically encode the URL, this limits the potential victims to only those users who use old browsers (e.g. Internet Explorer 8) to visit the application, with Cross-Site Scripting protection disabled.

I have applied the fix from the above post but when running an IE8 browser (emulation) with XSS off, it doesn't encode the url querystring
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Premium support services
  • Dedicated premium support services provided by core developers are intended for persons who run mission critical websites, work on projects with tight deadlines, or want to get dedicated support.
Professional services
  • Want to open a new store? Want to take your store to the next level? Need a custom extension? We can customize nopCommerce to fit your store perfectly. Request a quote to get started.
eCommerce CONFERENCE 2019
Learn more