This is a migrated thread and some comments may be shown as answers.

XSS Vulnerabilities

2 Answers 38 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Simon Layton
Top achievements
Rank 1
Simon Layton asked on 05 Dec 2016, 10:36 AM
We have just had a penetration test carried out and they have flagged a lot of XSS issues around the JSON parameter within the clientstate of the controls.

We are currently using 2015.2.826.40 and I know that is not the latest version but if we upgrade will this resolve the issues?

 

2 Answers, 1 is accepted

Sort by
0
Accepted
Marin Bratanov
Telerik team
answered on 05 Dec 2016, 12:20 PM

Hi Simon,

There are no known issues in the version you use and hence, no fixes in later versions.

I advise that you open a support ticket and send us an example of how the ClientState hidden field can be exploited so we can offer more precise advise.

What I can say at this point is that the _ClientState hidden field is a standard feature of all IScriptControls and data from it is used by our controls only for internal functionality (e.g., storing dimensions, positions, expanded elements, etc.) and it is not used for data retrieval or database queries. If a malicious user modifies the data there, they will, most likely, get a server error because the control cannot parse the information, or will simply break the control functionality.

Regards,

Marin Bratanov
Telerik by Progress
Telerik UI for ASP.NET AJAX is ready for Visual Studio 2017 RC! Learn more.
0
Simon Layton
Top achievements
Rank 1
answered on 05 Dec 2016, 01:45 PM

Hi

Thanks for the quick response, talking to the testers it appears that although injecting a payload into the clientstate causes an error and the error contains payload and on older browsers (before IE8) this would be executed. So I don't think it would be a problem as check for IE9+ on site.

I'll get someone to raise a support ticket with the details in it.

 

Regards

Simon

Tags
General Discussions
Asked by
Simon Layton
Top achievements
Rank 1
Answers by
Marin Bratanov
Telerik team
Simon Layton
Top achievements
Rank 1
Share this question
or