Rank 1
Hello,
I was notified that one of the sites I developed is returning a vulnerability to cross site scripting. I have already tried many ways to correct this issue with code and content security policy changes. I still can't get rid of this vulnerability. We are using Progress® Telerik® UI for ASP.NET AJAX runtime version: v4.0.30319 version: 2020.1.114.45. Can I download the trail of asp.net ajax and try that version of the treeview and see if that corrects the issue?
Issue Detail
The value of the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter is copied into the HTML document as plain text between tags. The payload sbi7s<script>alert(1)</script>tx52l was submitted in the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter. This input was echoed unmodified in the application's response.
Request
older1_VIndex2_tvIndex_ClientState=%7b%22expandedNodes%22%3a[]%2c%22collapsedNodes%22%3a[]%2c%22logEntries%22%3a[]%2c%22selectedNodes%22%3a[]%2c%22checkedNodes%22%3a[]%2c%22scrollPosition%22%3a%220**sbi7s%3cscript%3ealert(1)%3c%5c%2fscript%3etx52l**%22%7d&ctl00_RadWindowManager1_ClientState=&__ASYNCPOST=true&ctl00%24ContentPlaceHolder1%24VIndex2%24btnAddCart=Add%20To%20Cart
Response
> HTTP/2 200 OK
> Cache-Control: no-cache
> Pragma: no-cache
> Content-Type: text/plain; charset=utf-8
> Expires: -1
> Server: Microsoft-IIS/10.0
> X-Powered-By: ASP.NET
> X-Frame-Options: SAMEORIGIN
> X-Ua-Compatible: IE=edge,IE=11,IE=10,IE=9,IE=8,IE=7
> Strict-Transport-Security: max-age=31536000
> Date: Wed, 19 Mar 2025 16:26:27 GMT
> Content-Length: 82
> 68|error|500|0**sbi7s<script>alert(1)</script>tx52l** is not a valid value for Int32.|
What is the best way to pinpoint this issue? How can I look at the scrollposition and how is that causing this issue?
How do I fix this so it isn't showing up on the scans?
Thank you
1 Answer, 1 is accepted
Hi Jerry,
Thank you for bringing this to our attention.
We can confirm that the reported issue is a false positive based on the information provided and our internal review. Here are the key points to address your concerns:
- Data Type Validation: The ScrollPosition parameter in the TreeViewClientState class is defined as an int. Any non-integer value will cause a validation error.
- Error Handling: The error message indicates that the input is not a valid value for Int32, confirming that invalid input types are correctly rejected.
- No HTML Injection: The error message is returned as plain text, preventing the injected script from being executed in the browser.
- Server-Side Validation: The application ensures that the scrollPosition parameter is an integer, preventing the execution of any injected script.
Regarding the _ClientState fields of the Telerik controls, they are designed to store state information and do not interact directly with the database. We perform sanity checks and always deserialize the input from the hidden fields to strongly typed objects, which are only used for operations within the current user session. Modifying this data would typically result in a server error rather than any security breach.
If you can stage an attack through the ClientState field of a control of ours, please send us a proof of concept example so we can examine it. You can find more information on the ClientState purpose in this forum thread: What is ClientState Input Hidden for?.
To further strengthen the security of your application, we highly recommend keeping your Telerik UI for ASP.NET AJAX suite up to date with the latest version 2025 Q1. While we are not aware of any specific vulnerabilities in your current version (2020), one of the key improvements in recent releases is our support for .NET Framework 4.6.2. This change was made in response to Microsoft discontinuing support for .NET 4.5 and 4.6.1, ensuring your application remains compliant with modern framework standards. Regular updates will help you stay protected from potential future vulnerabilities and take advantage of the latest security best practices. Another improvement in the latest version is the support for the latest browser versions and enhanced security compared to the earlier versions.
Please feel free to reach out if you have any further concerns, or if you'd like assistance with upgrading to the latest version. We are committed to ensuring the security and efficiency of our controls and appreciate your cooperation in helping us achieve this.
Regards,
Rumen
Progress Telerik
Enjoyed our products? Share your experience on G2 and receive a $25 Amazon gift card for a limited time!