XSS Vulnerability found in RowCommand function with e.CommandArgument

.net xss checkmarx antixsslibrary

i'm using Checkmarx to scan a web application and i have noticed a lot of threats are found everytime i use e.CommandArgument in a RowCommand function. Example:

Protected Sub gvwModifySend_RowCommand(ByVal sender As Object, ByVal e As GridViewCommandEventArgs) Handles gvwModifySend.RowCommand
    Dim commandArg As String = AntiXssEncoder.HtmlEncode(e.CommandArgument, False)
    Select Case e.CommandName
        Case "Copy"
        //code
        Case "Modify"
        //code
        Case "OpenToModify"
        //code
    End Select
End Sub

I have tried using the antiXSS library like this:

Dim commandArg As String = AntiXssEncoder.HtmlEncode(e.CommandArgument, False)

But the scan keeps returning :

Method gvwModifySend_RowCommand at line 520 of ............\controls\mypage.ascx.vb gets user input from the commandargument element. This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in a query to the application server’s cached data, in CopyDocument at line 1131 of ............\modifyAndSendDocs.ascx.vb. This may enable a Data Filter Injection attack.

It pretty much looks like a false positive threat but wanted to ask if you guys use something better to prevent checkmarx or any other security tool from returning threats like this. Thanks you in advance


The reported vulnerability is not XSS, it is Data Filter Injection. You can click the ? next to the query name to get a detailed description.

The essence of it is that code you aren't showing is likely concatenating the value from e.CommandArgument to query something like the session cache, which means XSS escaping won't do anything to stop someone from providing an arbitrary value that is then used as the query criteria.

The assuming the version of SAST you're using supports the AntiXssEncoder namespace (I am looking at 9.4 at the moment, but it may be in the CxQL for previous versions), it specifically ejects HtmlEncode as a sanitizer for this particular vulnerability. You may try:

  • AntiXssEncoder.CssEncode
  • AntiXssEncoder.HtmlFormUrlEncode
  • AntiXssEncoder.UrlEncode
  • AntiXssEncoder.XmlAttributesEncode
  • AntiXssEncoder.XmlEncode

Using filtered from this snippet would probably work too:

Dim filtered As String = e.CommandArgument.Replace("'", "")

Related

generate public key from pk8 file
Class vs Instance attribute in unit test
Grouping non-sorted year column values to a single column using pandas
How to set python interpreter in neovim for python language server depending on pyenv / virtualenv
flutter form validator with null safety
Windows Form Application "How do I increase the size of the button when the mouse hovers over the button?"
Display Excel Spreadsheet in WinForms, C#
How to check if property is already lazy loaded?
Nginx multiple server blocks listening to same port
How to get correct User count and Avg. Session Duration in Firebase Analytics?
Error: File to import not found or unreadable: ~bootstrap/scss/bootstrap
certbort commands return ModuleNotFoundError: No module named '_cffi_backend'