Hello,
I was notified that one of the sites I developed is returning a vulnerability to cross site scripting. I have already tried many ways to correct this issue with code and content security policy changes. I still can't get rid of this vulnerability. We are using Progress® Telerik® UI for ASP.NET AJAX runtime version: v4.0.30319 version: 2020.1.114.45. Can I download the trail of asp.net ajax and try that version of the treeview and see if that corrects the issue?
Issue Detail
The value of the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter is copied into the HTML document as plain text between tags. The payload sbi7s<script>alert(1)</script>tx52l was submitted in the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter. This input was echoed unmodified in the application's response.
Request
older1_VIndex2_tvIndex_ClientState=%7b%22expandedNodes%22%3a[]%2c%22collapsedNodes%22%3a[]%2c%22logEntries%22%3a[]%2c%22selectedNodes%22%3a[]%2c%22checkedNodes%22%3a[]%2c%22scrollPosition%22%3a%220**sbi7s%3cscript%3ealert(1)%3c%5c%2fscript%3etx52l**%22%7d&ctl00_RadWindowManager1_ClientState=&__ASYNCPOST=true&ctl00%24ContentPlaceHolder1%24VIndex2%24btnAddCart=Add%20To%20Cart
Response
> HTTP/2 200 OK
> Cache-Control: no-cache
> Pragma: no-cache
> Content-Type: text/plain; charset=utf-8
> Expires: -1
> Server: Microsoft-IIS/10.0
> X-Powered-By: ASP.NET
> X-Frame-Options: SAMEORIGIN
> X-Ua-Compatible: IE=edge,IE=11,IE=10,IE=9,IE=8,IE=7
> Strict-Transport-Security: max-age=31536000
> Date: Wed, 19 Mar 2025 16:26:27 GMT
> Content-Length: 82
> 68|error|500|0**sbi7s<script>alert(1)</script>tx52l** is not a valid value for Int32.|
What is the best way to pinpoint this issue? How can I look at the scrollposition and how is that causing this issue?
How do I fix this so it isn't showing up on the scans?
Thank you