Cross site scripting (Detected on Acunetix scan)

1 year ago
We are looking to adopt NopCommerce and completed an Acunetix security scan which flagged the following (repetitive) issue:

/100-physical-gift-card

Alert group Cross site scripting

Severity High

Description
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can
execute malicious scripts into a legitimate website or web application. XSS occurs when a web
application makes use of unvalidated or unencoded user input within the output it generates.

Recommendations Apply context-dependent encoding and/or validation to user input rendered on a page

Alert variants

Details URI was set to "onmouseover='12Ar(9083)'bad="
The input is reflected inside a tag parameter between double quotes.

GET /100-physical-gift-card?"onmouseover='12Ar(9083)'bad=" HTTP/1.1
Referer: http://demostore.directfocus.com/
Connection: keep-alive
Cookie: .Nop.Customer=21cce335-8177-4166-8b61-
1cc3fb2cbf59;.Nop.TempData=CfDJ8IZb31yzv8RPiDxnHqhSBYU41YbLQ2pkZDkhaqr5i2u5eWy4lL2ZKPllUnWH0
_TFo7EBK8a7-
IcaOdZzT9ky6nOG1f9kxLnq_OXGHun7qezLE6f2I1QBm0GFVoZfEBo_coKW3uIjo_3808r03TmVU_nlOMPF3f5jNMtCX
_fNao7dBYkLF4yXSni1PuSv5utfH1Tr8FL4wJHZYur178f9JYAV0azLPVXkBUNiFDA92nITenqB7kMvcb5RSEzC5UncD
u9jK8CdFK8EDRblDrpu24RJ-av_H8VqXBL1h6jMar_;.
Nop.Antiforgery=CfDJ8IZb31yzv8RPiDxnHqhSBYUMgrouQov4KitH05Ve6hZn3lNFdAZb0JKiVSwa2BhzVd4W
HU1lWP4Fye43urEiRYClDz3Xn0IlE3i2vAZXZ-_FETFeHTh_cGIWpaDld-KMGhChhxAaUA0flXMwURkfWI;.
Nop.ComparedProducts=;.Nop.RecentlyViewedProducts=45%2C9%2C27;.Nop.Authentication=C
fDJ8IZb31yzv8RPiDxnHqhSBYV6zlRZBNRTI3gjuuCje1tJoR2ffChXcnSJHeHddbAkio--
g5EawoeCMzVQot8U7FEBO899SOfUQ8Q16Ug2oLM5DaJWFMwcCP9kk0N_PfIsm3QASjDPL2PtAOerXl3nYHymxF62FfXF
8iRu84FUy4L2YLCDBoGZVooTMJtvrlFUYZjw1Yl52YHsX9O90NuAsQHST4x41tDrboyiw369jnj37HxB1uupdW8Y6soPciO1mUs-
mxh_OBe5GQtpsqJauqhC7UAttAjZCz9m-
xlsl9gvuVlOJgWHr_GUInWbFuqW-st0B12HMCu_bycKozheFbr51fPDmjOGhnj-
WY5KutOAFwWt4qMZ1NA2A16YxlOWm-8g43g1za7UGYh4w9cbSKoZFhtftvdz3K62H32mfJ9oO8olfz9yYAXt9jyt-
Bvoi2hPNQpkIZy8U4bM5tSIRIjnLvs3MoedbwZ9a8BcvnA2ho_sgmZArhfE6WOnopNxbHvGYPRrn3819mZhs-
ZQw7HJjai07VeXJylqrrzvjBCitwEt97_w2I5taEp6Jayw
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
Host: demostore.directfocus.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21

Is this a known issue and will it be resolved in an upcoming release?
7 months ago
Thanks a lot for reporting. Fixed. Could you please test the fix and confirm that it works good now?
5 months ago
I have the same issue reported from PEN test

It was identified that the application was vulnerable to Reflective Cross-Site Scripting.
During testing, it was identified that it was possible to append arbitrary parameters to the HTTP request URLs and the server returned the full URL in the response without any encoding. By injecting scripts as the arbitrary parameter appended to the request, it was possible to have the script returned in the response and have it executed by the browser.
It is to be noted that, for the attack to be effective, the victim browser must not URL-encode the request. As most modern browsers do automatically encode the URL, this limits the potential victims to only those users who use old browsers (e.g. Internet Explorer 8) to visit the application, with Cross-Site Scripting protection disabled.

I have applied the fix from the above post but when running an IE8 browser (emulation) with XSS off, it doesn't encode the url querystring