securityasp-classicxssnessus

Nessus vulnerability scanner reports my classic ASP site still exposed to XSS attack


I am chasing a vulnerability reported on my site written mostly in classic ASP with VBscript. I think the fixes I made should have been sufficient but a "rescan" still shows a "medium risk" item on port 80/tcp:

51972 - CGI Generic Cross-Site Scripting (Parameters Names)

Here is a snippet from this report item:

    -------- request --------
GET /stagedmds/marketshare/ParmsV2.asp?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1 
Host: www.mortgagedataweb.com 
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 
Accept-Language: en 
Connection: Close 
Cookie: ASPSESSIONIDSQQQBDTB=MCJAMHCACGEHCNCCGDDPOEAI; ASPSESSIONIDQSSQDCTB=JAFAABIAONBOMMAMJILMMLGL; ASPSESSIONIDQSQQBDTB=IBJAMHCAIGIGCEKMBNPOMCPN 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) 
Pragma: no-cache 
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------

<button type="button" onclick=
"location.href='/stagedmds/marketshare/ParmsV2.asp?<<<<<<<<<<foo"bar'314
>>>>>=1&Doc=Y';"
ONMOUSEOVER="this.className = 'over';"
ONMOUSEOUT="this.className = '';"
------------------------

/stagedmds/marketshare/ParmsV2.ASP?<<<<<<<<<<foo"bar'314>>>>>=1

When I looked at this page of server-side scripting, I noticed that my retrieval of parameters was not "sanitizing" the input as follows:

implied_Menu = UCase(Request.QueryString("Menu"))

So, I changed this as follows:

implied_Menu = getUserInput(UCase(Request.QueryString("Menu"))) 

where a newly added function should "sanitize" the parm value as follows:

Function getUserInput(input)    
    dim newString
    newString=input  
    newString    = replace(newString,"--","")
    newString    = replace(newString,";","")          
    newString    = replace(newString,chr(34),"'") 
    newString    = replace(newString,"'","") 
    newString    = replace(newString,"=","=") 
    newString    = replace(newString,"(","[") 
    newString    = replace(newString,")","]")
    newString = replace(newString,"'","''")
    newString = replace(newString,"<","[")
    newString = replace(newString,">","]")  
    newString = replace(newString,"/*","/") 
    newString = replace(newString,"*/","/")
    getUserInput = newString
End Function 

This variable called implied_Menu is never outputed to the page in any way. It is only evaluated with some case logic to set other variables as in this example:

    Select Case implied_Menu
        Case "C_ST" 
            implied_PromptType = ByCounty
            implied_DataSubset = iConventional
            implied_ReportName = Conventional

I cannot see what else to do here. I have read Protect from cross-site scripting attacks? that some of these vulnerability scanners do not recognize measures like I've taken.

Is it possible the scanner will always report an XSS violation when it sees retrieval from the querystring?


Solution

  • It looks to me that the problem is how you are generating the value for location.href when your code generates this button:

    <button type="button" onclick=
    "location.href='/stagedmds/marketshare/ParmsV2.asp?<<<<<<<<<<foo"bar'314
    >>>>>=1&Doc=Y';"
    ONMOUSEOVER="this.className = 'over';"
    ONMOUSEOUT="this.className = '';"
    

    I guess you are generating the URL with a ServerVariable or Request.QueryString. You need to change this so it only includes parameters you allow.

    If you post this part of your code it may help further.