Feedback
Did this article resolve your question/issue?

   

Article

Cross site scripting (XSS) vulnerability detected in OEM

« Go Back

Information

 
TitleCross site scripting (XSS) vulnerability detected in OEM
URL NameCross-site-scripting-XSS-vulnerability-detected-in-OEM-000074192
Article Number000179723
EnvironmentProduct: OpenEdge
Version: 10.2B, 11.0 to 11.6
OS: All supported platforms
Other: OpenEdge Management, OpenEdge Explorer
Question/Problem Description
Cross site scripting (XSS) vulnerability detected in OEM when doing penetration testing.
 
Steps to Reproduce
Clarifying Information
Discovered during (PEN) penetration testing.

XSS attacks are essentially code injection attacks against the various language interpreters contained within the browser. XSS can be executed via HTML, JavaScript, VBScript, ActiveX; essentially any scripting language a browser is capable of processing. 

XSS vulnerabilities are created when a website does not properly sanitize, escape, or encode user input. For example, "<;" is the HTML encoding for the "<" character. If the encoding is performed, the script code will not execute. 

There are 3 parties involved in an XSS attack: the attacker, the trusted and vulnerable website, and the victim. An attacker will take advantage of a vulnerable website that does not properly validate user input by inserting malicious code into any data entry field.
Error Message
Defect NumberEnhancement PSC00350928
Enhancement Number
Cause
General Web Application development best practices had not been observed through the history of OEM/OEE development.
Resolution
XSS vulnerability has been addressed in OpenEdge 11.7 which involved months of work and 1000's of changes that are not back portable to earlier versions. 

OpenEdge 11.7 changes for Web Security security covered the following areas: 

1.    Shiro was upgraded to version 1.3.2. This upgrade was done to specifically to address an issue with the session id appearing in the URL during login. This is not an XSS issue, but rather a session fixation issue.  Refer to Article : 2.    Multiple Reflected Cross Scripting (XSS) issues that were not related to the Shiro upgrade, but rather just general web application development best practices were implemented. A tool called OWASP ZAP as well as other penetration testing tools were used to verify XSS issues.

3.   Content Security Policy (CSP) was introduced to prevent external content and unsafe inlined scripts to be blocked by the browser.

Use SSL, disable HTTP and switch to using HTTPS with a valid certificate.   

For further information refer to Article:
 
Workaround
Notes
Last Modified Date11/20/2020 7:12 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.