Adam L. Ooten
Top achievements
Rank 2
Rank 2
Adam L. Ooten
asked on 06 Jan 2010, 05:05 PM
I believe I have seen mentioned that Telerik RadControls are made to be 508 compliant which is great, but I was wondering if Telerik has used any type of web site security software testing on their controls? Specifically I am hitting a few issues with the controls using IBM Ration AppScan.
http://www-01.ibm.com/software/rational/offerings/websecurity/webappsecurity.html
The security issues I am getting relate to the telerik.web.ui.webresource.axd file and are as follows:
http://www-01.ibm.com/software/rational/offerings/websecurity/webappsecurity.html
The security issues I am getting relate to the telerik.web.ui.webresource.axd file and are as follows:
- DOM Based Cross-Site Scripting
-
Query Parameter in SSL Request
-
Client-Side (JavaScript) SQL Query Construction
-
Client-Side (JavaScript) Cookie References
Any help you can provide would be much appreciated.
2 Answers, 1 is accepted
0
Poul Henningsen
Top achievements
Rank 1
Rank 1
answered on 08 Jan 2010, 08:19 AM
not very helpful, but you may check this forum post:
http://www.telerik.com/community/forums/aspnet/general-discussions/appscan-7-7-security-issues-for-radinput-s.aspx
http://www.telerik.com/community/forums/aspnet/general-discussions/appscan-7-7-security-issues-for-radinput-s.aspx
0
Hi,
Telerik.Web.UI.WebResource.axd is the HTTP web resource handler some of RadControls use to fetch scripts, styles and sprite images. Unfortunately, ASP.NET resource handlers are not very much venerated by web security products, as they are often treated as a web security vulnerability. Part of the suspicious behavior of the script resource handlers is that there is no physical file named WebResource.axd (or ScriptResource.axd for standard ASP.NET ScriptManager) present in the web site root.
Try creating an empty WebResource.axd file and see if you are getting the same warnings.
Kind regards,
Veli
the Telerik team
Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Telerik.Web.UI.WebResource.axd is the HTTP web resource handler some of RadControls use to fetch scripts, styles and sprite images. Unfortunately, ASP.NET resource handlers are not very much venerated by web security products, as they are often treated as a web security vulnerability. Part of the suspicious behavior of the script resource handlers is that there is no physical file named WebResource.axd (or ScriptResource.axd for standard ASP.NET ScriptManager) present in the web site root.
Try creating an empty WebResource.axd file and see if you are getting the same warnings.
Kind regards,
Veli
the Telerik team
Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.