RadControls and Rational AppScan web site security software

3 posts, 0 answers
  1. Adam L. Ooten
    Adam L. Ooten avatar
    86 posts
    Member since:
    Sep 2005

    Posted 06 Jan 2010 Link to this post

    I believe I have seen mentioned that Telerik RadControls are made to be 508 compliant which is great, but I was wondering if Telerik has used any type of web site security software testing on their controls?  Specifically I am hitting a few issues with the controls using IBM Ration AppScan.

    http://www-01.ibm.com/software/rational/offerings/websecurity/webappsecurity.html

    The security issues I am getting relate to the telerik.web.ui.webresource.axd file and are as follows:

    • DOM Based Cross-Site Scripting
    • Query Parameter in SSL Request

    • Client-Side (JavaScript) SQL Query Construction

    • Client-Side (JavaScript) Cookie References

    Any help you can provide would be much appreciated.

  2. Poul Henningsen
    Poul Henningsen avatar
    194 posts
    Member since:
    May 2006
  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. Veli
    Admin
    Veli avatar
    2002 posts

    Posted 08 Jan 2010 Link to this post

    Hi,

    Telerik.Web.UI.WebResource.axd is the HTTP web resource handler some of RadControls use to fetch scripts, styles and sprite images. Unfortunately, ASP.NET resource handlers are not very much venerated by web security products, as they are often treated as a web security vulnerability. Part of the suspicious behavior of the script resource handlers is that there is no physical file named WebResource.axd (or ScriptResource.axd for standard ASP.NET ScriptManager) present in the web site root.

    Try creating an empty WebResource.axd file and see if you are getting the same warnings.


    Kind regards,
    Veli
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Back to Top