How to secure the telerik:radgrid or telerik:RadComboBox ClientState from XSS Attack.

1 Answer 28 Views
ComboBox Grid
Attiq
Top achievements
Rank 1
Attiq asked on 13 May 2022, 01:12 PM | edited on 13 May 2022, 01:12 PM

Hi guys,

 

I am working on issues reported by rapid 7. 

Following error is reported by Rapid 7:

ctl00_ctl00_BaseContent_ContentPlaceHolder1_rgdDispatches_ClientState=%27%3E%3Cscript%3Ealert(4272772)%3C%2Fscript%3E 

Actually the attacK is injecting <script>alert("4272772")</script> tag inside the ClientState. 

Is there any way to prevent this attack on almost all Telerik Ajax Controls, Specially telerik:radgrid and telerik:RadComboBox ON SERVER SIDE CODE

Is there any way to use encryption or some way the validate and Fix the client state of a control on Server Side?

1 Answer, 1 is accepted

Sort by
0
Rumen
Telerik team
answered on 17 May 2022, 01:14 PM

Hi Attiq,

The _ClientState field, our controls have, is something standard for an IScriptControl instance. As with any other input, a malicious user can generate a POST with invalid data in it that will trigger server errors but there is no debugging information stored in the ClientState field.

I can assure you the ClientState data is used only to set control properties (much like the ViewState data, but it is used to store information for the client, not the server). If the information in it is modified, you will most likely get a server error. We do not execute code based on these values, nor we do not send any debug information through them.

Even if a malicious user changed the values, they could have either of the outcomes shown in the following video:
http://youtu.be/oq9tmQY3y4c?hd=13

We use the JavaScriptSerializer class from .NET to get the contents of the ClientState fields.

If you think that there is a real security issue, can you please provide the steps to replicate the exploit on our side? Thank you!

Best Regards,
Rumen
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Tags
ComboBox Grid
Asked by
Attiq
Top achievements
Rank 1
Answers by
Rumen
Telerik team
Share this question
or