Have an aggravating problem here and any help would be great. Basically one of our clients beefed up their security and implemented OWASP. Now, some of our existing site functionality is returning a security violation. I narrowed down one of the major issues to the RadTab. Once a page containing a RadTabStrip strip posts back, the OWASP returns a security violation. Unfortunately, we don't have access to the logs and the client has given us a few snippets but they seem to be SQL Injection related and also pattern matching on the view state.
I then created a blank page with one RadTabStrip with 4 RadTab/RadPageViews, each containing a letter of the alphabet and one button that would post back. Upon clicking the button, the security violation threw. So I am about 99.99% positive it is returning a false-positive with something the RadTab is posting back. I then modified one of our existing pages to implement JQuery tabs instead of the RadTabs. This worked successfully, but the problem is this would be a somewhat lengthy overhaul and was hoping someone out there might have an idea for me. Now please note that the client refuses to make any exceptions in the OWASP security. Frustrating, but this is what I have to deal with.
I then created a blank page with one RadTabStrip with 4 RadTab/RadPageViews, each containing a letter of the alphabet and one button that would post back. Upon clicking the button, the security violation threw. So I am about 99.99% positive it is returning a false-positive with something the RadTab is posting back. I then modified one of our existing pages to implement JQuery tabs instead of the RadTabs. This worked successfully, but the problem is this would be a somewhat lengthy overhaul and was hoping someone out there might have an idea for me. Now please note that the client refuses to make any exceptions in the OWASP security. Frustrating, but this is what I have to deal with.
1 Answer, 1 is accepted
0
Hi Sean,
What RadTabStrip is posting back is its client-state which is being stored inside in a hidden field. I guess that OWASP treats that as an SQL injection, however, of course, it is not, because the client-state is only used by the RadTabStrip internals and there is absolutely no way that it can get to the database or cause any harm at all. The reason is that if the client-state is not in the expected format RadTabStrip wont use it all. Unfortunately there is no way to change the way how RadTabStrip works.
As far as I know, In the security systems there is usually a way to justify a security error and mark it as a false positive so that it is not taken into consideration. If this is possible using OWASP you can use the explanation above.
All the best,
Genady Sergeev
the Telerik team
What RadTabStrip is posting back is its client-state which is being stored inside in a hidden field. I guess that OWASP treats that as an SQL injection, however, of course, it is not, because the client-state is only used by the RadTabStrip internals and there is absolutely no way that it can get to the database or cause any harm at all. The reason is that if the client-state is not in the expected format RadTabStrip wont use it all. Unfortunately there is no way to change the way how RadTabStrip works.
As far as I know, In the security systems there is usually a way to justify a security error and mark it as a false positive so that it is not taken into consideration. If this is possible using OWASP you can use the explanation above.
All the best,
Genady Sergeev
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.