XSS Vulnerability found in RowCommand function with e.CommandArgument
i'm using Checkmarx to scan a web application and i have noticed a lot of threats are found everytime i use e.CommandArgument
in a RowCommand
function.
Example:
Protected Sub gvwModifySend_RowCommand(ByVal sender As Object, ByVal e As GridViewCommandEventArgs) Handles gvwModifySend.RowCommand
Dim commandArg As String = AntiXssEncoder.HtmlEncode(e.CommandArgument, False)
Select Case e.CommandName
Case "Copy"
//code
Case "Modify"
//code
Case "OpenToModify"
//code
End Select
End Sub
I have tried using the antiXSS library like this:
Dim commandArg As String = AntiXssEncoder.HtmlEncode(e.CommandArgument, False)
But the scan keeps returning :
Method gvwModifySend_RowCommand at line 520 of ............\controls\mypage.ascx.vb gets user input from the commandargument element. This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in a query to the application server’s cached data, in CopyDocument at line 1131 of ............\modifyAndSendDocs.ascx.vb. This may enable a Data Filter Injection attack.
It pretty much looks like a false positive threat but wanted to ask if you guys use something better to prevent checkmarx or any other security tool from returning threats like this. Thanks you in advance
The reported vulnerability is not XSS, it is Data Filter Injection
. You can click the ?
next to the query name to get a detailed description.
The essence of it is that code you aren't showing is likely concatenating the value from e.CommandArgument
to query something like the session cache, which means XSS escaping won't do anything to stop someone from providing an arbitrary value that is then used as the query criteria.
The assuming the version of SAST you're using supports the AntiXssEncoder
namespace (I am looking at 9.4 at the moment, but it may be in the CxQL for previous versions), it specifically ejects HtmlEncode
as a sanitizer for this particular vulnerability. You may try:
AntiXssEncoder.CssEncode
AntiXssEncoder.HtmlFormUrlEncode
AntiXssEncoder.UrlEncode
AntiXssEncoder.XmlAttributesEncode
AntiXssEncoder.XmlEncode
Using filtered
from this snippet would probably work too:
Dim filtered As String = e.CommandArgument.Replace("'", "")