Cross site scripting (Detected on Acunetix scan)

2 年 前
We are looking to adopt NopCommerce and completed an Acunetix security scan which flagged the following (repetitive) issue:


Alert group Cross site scripting

Severity High

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can
execute malicious scripts into a legitimate website or web application. XSS occurs when a web
application makes use of unvalidated or unencoded user input within the output it generates.

Recommendations Apply context-dependent encoding and/or validation to user input rendered on a page

Alert variants

Details URI was set to "onmouseover='12Ar(9083)'bad="
The input is reflected inside a tag parameter between double quotes.

GET /100-physical-gift-card?"onmouseover='12Ar(9083)'bad=" HTTP/1.1
Connection: keep-alive
Cookie: .Nop.Customer=21cce335-8177-4166-8b61-
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21

Is this a known issue and will it be resolved in an upcoming release?
1 年 前
Thanks a lot for reporting. Fixed. Could you please test the fix and confirm that it works good now?
1 年 前
I have the same issue reported from PEN test

It was identified that the application was vulnerable to Reflective Cross-Site Scripting.
During testing, it was identified that it was possible to append arbitrary parameters to the HTTP request URLs and the server returned the full URL in the response without any encoding. By injecting scripts as the arbitrary parameter appended to the request, it was possible to have the script returned in the response and have it executed by the browser.
It is to be noted that, for the attack to be effective, the victim browser must not URL-encode the request. As most modern browsers do automatically encode the URL, this limits the potential victims to only those users who use old browsers (e.g. Internet Explorer 8) to visit the application, with Cross-Site Scripting protection disabled.

I have applied the fix from the above post but when running an IE8 browser (emulation) with XSS off, it doesn't encode the url querystring