We have just had a penetration test carried out and they have flagged a lot of XSS issues around the JSON parameter within the clientstate of the controls.
We are currently using 2015.2.826.40 and I know that is not the latest version but if we upgrade will this resolve the issues?
2 Answers, 1 is accepted
answered on 05 Dec 2016, 12:20 PM
There are no known issues in the version you use and hence, no fixes in later versions.
I advise that you open a support ticket and send us an example of how the ClientState hidden field can be exploited so we can offer more precise advise.
What I can say at this point is that the _ClientState hidden field is a standard feature of all IScriptControls and data from it is used by our controls only for internal functionality (e.g., storing dimensions, positions, expanded elements, etc.) and it is not used for data retrieval or database queries. If a malicious user modifies the data there, they will, most likely, get a server error because the control cannot parse the information, or will simply break the control functionality.
Telerik by Progress
Telerik UI for ASP.NET AJAX is ready for Visual Studio 2017 RC! Learn more.
Thanks for the quick response, talking to the testers it appears that although injecting a payload into the clientstate causes an error and the error contains payload and on older browsers (before IE8) this would be executed. So I don't think it would be a problem as check for IE9+ on site.
I'll get someone to raise a support ticket with the details in it.