XSS potential on sorting

Oct 10, 2013 at 12:26 PM
Our penetration tester has seen a potential XSS (cross-site scripting) vulnerability when a column is sortable.

The query string parameters are copied into the href for the title of the column to be sorted on. For example, if I add '?test=2' to the end of the URL for the page containing Grid.Mvc then the sort tag becomes '<div class="grid-header-title"><a href="?test=2&grid-column=DisplayName&grid-dir=0">Name</a></div>'.

Our pen tester says he can't exploit this but we have the security header 'X-XSS-Protection: 1; mode=block' turned on and we weren't expecting to see this behaviour.

Is this an issue, do you think?
Coordinator
Oct 10, 2013 at 12:57 PM
Hi,

I dont see the problem, because Grid.Mvc makes url encode to build href parameter of the sort headers and you can't exploit this. If you pass any script to the url it does not lead to DOM modifications, try to do this:
http://gridmvc.azurewebsites.net/?%22%20onclick=%22alert('q');%22
You will see to, that you parameter was escaped:
<a href="?&quot; onclick=%22alert(%27q%27)%3b%22&amp;grid-column=OrderCustomDate&amp;grid-dir=0">Date</a>
Oct 10, 2013 at 1:49 PM
Edited Oct 10, 2013 at 1:59 PM
Thanks for the interest in this issue.

Here's a better example that our pen tester has managed to get working:
?'><script>alert('hi')</script>=1 
The '=1' at the end is necessary. It will cause the page to fail in IE8 and Chrome 28 as they are catching the XSS attempt. Firefox 23.0.1, however, will show the alert. Odd browser versions, I know, but it's a corporate network.

Update:
I've rebuilt against Grid.Mvc 3.0.0 (was v.2.3.0) and the problem isn't there. Looks like this was only in the earlier version.