I am chasing a vulnerability reported on my site written mostly in classic ASP with VBscript. I think the fixes I made should have been sufficient but a "rescan" still shows a "medium risk" item on port 80/tcp:
51972 - CGI Generic Cross-Site Scripting (Parameters Names)
Here is a snippet from this report item:
-------- request --------
GET /stagedmds/marketshare/ParmsV2.asp?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1
Host: www.mortgagedataweb.com
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: ASPSESSIONIDSQQQBDTB=MCJAMHCACGEHCNCCGDDPOEAI; ASPSESSIONIDQSSQDCTB=JAFAABIAONBOMMAMJILMMLGL; ASPSESSIONIDQSQQBDTB=IBJAMHCAIGIGCEKMBNPOMCPN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
<button type="button" onclick=
"location.href='/stagedmds/marketshare/ParmsV2.asp?<<<<<<<<<<foo"bar'314
>>>>>=1&Doc=Y';"
ONMOUSEOVER="this.className = 'over';"
ONMOUSEOUT="this.className = '';"
------------------------
/stagedmds/marketshare/ParmsV2.ASP?<<<<<<<<<<foo"bar'314>>>>>=1
When I looked at this page of server-side scripting, I noticed that my retrieval of parameters was not "sanitizing" the input as follows:
implied_Menu = UCase(Request.QueryString("Menu"))
So, I changed this as follows:
implied_Menu = getUserInput(UCase(Request.QueryString("Menu")))
where a newly added function should "sanitize" the parm value as follows:
Function getUserInput(input)
dim newString
newString=input
newString = replace(newString,"--","")
newString = replace(newString,";","")
newString = replace(newString,chr(34),"'")
newString = replace(newString,"'","")
newString = replace(newString,"=","=")
newString = replace(newString,"(","[")
newString = replace(newString,")","]")
newString = replace(newString,"'","''")
newString = replace(newString,"<","[")
newString = replace(newString,">","]")
newString = replace(newString,"/*","/")
newString = replace(newString,"*/","/")
getUserInput = newString
End Function
This variable called implied_Menu is never outputed to the page in any way. It is only evaluated with some case logic to set other variables as in this example:
Select Case implied_Menu
Case "C_ST"
implied_PromptType = ByCounty
implied_DataSubset = iConventional
implied_ReportName = Conventional
I cannot see what else to do here. I have read Protect from cross-site scripting attacks? that some of these vulnerability scanners do not recognize measures like I've taken.
Is it possible the scanner will always report an XSS violation when it sees retrieval from the querystring?
It looks to me that the problem is how you are generating the value for location.href when your code generates this button:
<button type="button" onclick=
"location.href='/stagedmds/marketshare/ParmsV2.asp?<<<<<<<<<<foo"bar'314
>>>>>=1&Doc=Y';"
ONMOUSEOVER="this.className = 'over';"
ONMOUSEOUT="this.className = '';"
I guess you are generating the URL with a ServerVariable or Request.QueryString. You need to change this so it only includes parameters you allow.
If you post this part of your code it may help further.