ASE Home Page Products Download Purchase Support About ASE
ChartDirector Support
 Forum HomeForum Home   SearchSearch

Message ListMessage List     Post MessagePost Message

  XSS Threat with onmouseover event.
Posted by Adib on Dec-29-2016 17:24
| Reply | Monitor
Hello,

I have read a couple of posts regarding cross-site scripting threat on the use of chart director, and in one of those post, you provided a patch for the function Getchart.

This time however, in a similar situation, a web security assessment ran by my client deemed a high risk threat regarding XSS for the onmouesover event. I was using the tracklegend chart which uses javascript. The threat disappears when i removed the chart from the website.


Is there anything I can do to eliminate XSS while using this chart?


The Security Assessment tool is Acunetix.

The threat returned is something like:

URI was set to 'onmouseover='prompt(902769)'bad='
The input is reflected inside a tag parameer between single quotes

Thank you

  Re: XSS Threat with onmouseover event.
Posted by Peter Kwan on Dec-30-2016 02:33
| Reply | Monitor
Hi Adib,

Would you mind to clarify which programming language edition of ChartDirector you are using, and exact URL to reproduce the issue? I have tried the tracklegend sample using to an URL such as:

tracklegend.aspx?'onmouseover='prompt(902769)'bad='

In the generated HTML, I can only find the followings in a HIDDEN field tag (<input type="hidden" ....>)":

tracklegend.aspx?%27onmouseover=%27prompt(902769)%27bad=%27

The above is in single quotes in the HTML. It is normal, as ChartDirector will keep a copy of the URL so that it can reload the page, so anything in the URL will necessarily be found in the generated web page. It is not a threat because the single quote in the URL is escaped to %27, which means the URL will be interpreted as part of the URL, and not as a "onmouseover" event script. Finally, the tag that contains the URL is a hidden tag, so it should not be capable of responding to any "onmouseover" event.

I have also tried the PHP version "tracklegend.php" and I obtain the same result (the single quote is escaped to %27).

If the threat exists, it should be easy to reproduce just by entering the proper URL, and then view the generated HTML to see if the text 'onmouseover='prompt(902769)'bad=' exists. If we can reproduce it, we will certainly fix it urgently.

Regards
Peter Kwan

  Re: XSS Threat with onmouseover event.
Posted by Peter Kwan on Dec-30-2016 04:27
| Reply | Monitor
Hi Adib,

For further testing, I have tried to use another security scanner (Subgraph Vega) to check for issues, but it cannot find any issues.

Regards
Peter Kwan

  Re: XSS Threat with onmouseover event.
Posted by Adib on Jan-02-2017 00:21
| Reply | Monitor
Hi Peter,

Thank you for your response.

I was having some trouble comprehending the threat myself at first until I figured out that the affected item was the chart image, which picks the url as it is under the <img src> tag. And while parameters under the Sel= are encoded, anything else beyond the '.aspx/' are not.

I have managed to comply with the assessment by singling out any injection of 'onmouseover' into the url, replacing it with something safe.