search

nopSolutions / nopCommerce

ASP.NET Core eCommerce software. nopCommerce is a free and open-source shopping cart.
https://www.nopcommerce.com
Other
9.19k stars 5.28k forks source link

Prevent the Check Cross-site Scripting (XSS) vulnerability #3194

Closed AndreiMaz closed 5 years ago

AndreiMaz commented 6 years ago

Andrei has a report we have to check, Let's investigate it

See also: https://www.nopcommerce.com/boards/t/57374/cross-site-scripting-detected-on-acunetix-scan.aspx

preachur commented 6 years ago

Is there anything I can do to help?

DmitriyKulagin commented 5 years ago

@preachur

It would not be bad if we had the opportunity to repeat all the tests that you provided. Can you explain more a validation script you have used?

preachur commented 5 years ago

I sent the .pdf's with the complete PCI test methods and results to AndreiMaz, but would prefer not to post them here publicly due to security concerns.

DmitriyKulagin commented 5 years ago

@preachur Hi,

If you have the opportunity, try to apply this code now to your resource and to test again with these changes. If this will solve the problem, then we will add this code to the work branch.

DmitriyKulagin commented 5 years ago

Closed #3194

preachur commented 5 years ago

That didn't fix the issue. We are now failing XSS pci on versions 3.6 and 4.0.

preachur commented 5 years ago

PCI scan company says: Solution Windows 2012 R2 Standard Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers. Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.

DmitriyKulagin commented 5 years ago

@preachur

Please specify the details: Did you apply the update provided for versions 3.6 and 4.0 and the solution did not work there? Have you tried to test version 4.20?

DmitriyKulagin commented 5 years ago

@preachur We have significantly expanded the security policy, if you find any other vulnerabilities, then let us know about it in this task, just by re-opening it. Thanks!

preachur commented 5 years ago

That fixed the issue on one site. After making those changes to web.config, our site on 3.60 now passes. The smaller site on 4.00 still fails. On the same server.

preachur commented 5 years ago

...and actually, still failing on both. Severity Medium CVSS Score 4.3 Description XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data conta in characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web b rowser. The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendere d by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload. In this case, the scanner identified the vulnerability by injecting a payload as part of the path component of the URL, as opposed to other kinds of XSS attacks t hat inject the payload into URL parameter values.

preachur commented 5 years ago

Solution Windows 2012 R2 Standard Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers. Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.

preachur commented 5 years ago

Doesn't help me though, because the extended security policy should fix that, correct?

preachur commented 5 years ago

The answer they gave me: "the headers you configured for the website are being sent to the browser properly, which instructs modern browsers to protect against XSS attacks, however the website may still be vulnerable to XSS attacks if URL parameters are not sanitized."

preachur commented 5 years ago

3.6 is still passing. 4.0 is not.

AndreiMaz commented 5 years ago

@preachur Hi Mark! Fixed - https://github.com/nopSolutions/nopCommerce/commit/5d572eaf83c664d4b541e01dfb690936ccfc5f64

Could you please apply this fix and confirm that everything is good now?

preachur commented 5 years ago

It is still failing for XSS.

preachur commented 5 years ago

"XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data conta in characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web b rowser. The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendere d by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload. In this case, the scanner identified the vulnerability by injecting a payload as part of the path component of the URL, as opposed to other kinds of XSS attacks t hat inject the payload into URL parameter values."

preachur commented 5 years ago

That fix also caused errors on product pages: One or more compilation failures occurred: C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(19,91): error CS1061: 'IWebHelper' does not contain a definition for 'CurrentRequestProtocol' and no extension method 'CurrentRequestProtocol' accepting a first argument of type 'IWebHelper' could be found (are you missing a using directive or an assembly reference?) C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(51,64): error CS0103: The name 'PublicWidgetZones' does not exist in the current context C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(54,67): error CS0103: The name 'PublicWidgetZones' does not exist in the current context C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(58,79): error CS0103: The name 'PublicWidgetZones' does not exist in the current context C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(74,83): error CS0103: The name 'PublicWidgetZones' does not exist in the current context C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(81,87): error CS0103: The name 'PublicWidgetZones' does not exist in the current context C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(84,87): error CS0103: The name 'PublicWidgetZones' does not exist in the current context C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(87,83): error CS0103: The name 'PublicWidgetZones' does not exist in the current context C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(95,79): error CS0103: The name 'PublicWidgetZones' does not exist in the current context C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(97,75): error CS0103: The name 'PublicWidgetZones' does not exist in the current context C:\inetpub\wwwroot\livestockshed2\Views\Product\ProductTemplate.Grouped.cshtml(187,67): error CS0103: The name 'PublicWidgetZones' does not exist in the current context

preachur commented 5 years ago

image001