1

i'm using Checkmarx to scan a web application and i have noticed a lot of threats are found everytime i use e.CommandArgument in a RowCommand function. Example:

Protected Sub gvwModifySend_RowCommand(ByVal sender As Object, ByVal e As GridViewCommandEventArgs) Handles gvwModifySend.RowCommand
    Dim commandArg As String = AntiXssEncoder.HtmlEncode(e.CommandArgument, False)
    Select Case e.CommandName
        Case "Copy"
        //code
        Case "Modify"
        //code
        Case "OpenToModify"
        //code
    End Select
End Sub

I have tried using the antiXSS library like this:

Dim commandArg As String = AntiXssEncoder.HtmlEncode(e.CommandArgument, False)

But the scan keeps returning :

Method gvwModifySend_RowCommand at line 520 of ............\controls\mypage.ascx.vb gets user input from the commandargument element. This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in a query to the application server’s cached data, in CopyDocument at line 1131 of ............\modifyAndSendDocs.ascx.vb. This may enable a Data Filter Injection attack.

It pretty much looks like a false positive threat but wanted to ask if you guys use something better to prevent checkmarx or any other security tool from returning threats like this. Thanks you in advance

Arn.adg
  • 33
  • 3

1 Answers1

2

The reported vulnerability is not XSS, it is Data Filter Injection. You can click the ? next to the query name to get a detailed description.

The essence of it is that code you aren't showing is likely concatenating the value from e.CommandArgument to query something like the session cache, which means XSS escaping won't do anything to stop someone from providing an arbitrary value that is then used as the query criteria.

The assuming the version of SAST you're using supports the AntiXssEncoder namespace (I am looking at 9.4 at the moment, but it may be in the CxQL for previous versions), it specifically ejects HtmlEncode as a sanitizer for this particular vulnerability. You may try:

  • AntiXssEncoder.CssEncode
  • AntiXssEncoder.HtmlFormUrlEncode
  • AntiXssEncoder.UrlEncode
  • AntiXssEncoder.XmlAttributesEncode
  • AntiXssEncoder.XmlEncode

Using filtered from this snippet would probably work too:

Dim filtered As String = e.CommandArgument.Replace("'", "")

NathanL
  • 357
  • 2
  • 8
  • Thank you for your answer. I'm gonna try one of the methods you have mentioned and let you know if it works. Can you just explain a bit more why that .replace would work ? I don't get it – Arn.adg Jan 20 '22 at 19:35
  • It probably works as a sanitizer but probably not good as a real fix. The idea is that you sanitize the string by replacing characters that would be used for injection. A single quote for session cache lookup may do nothing in some cases, but work in others. The sink code isn't in the question so it is hard to give a full explanation without the full data flow for context. – NathanL Jan 20 '22 at 20:29
  • I tried HtmlFormUrlEncode and it worked, thank you. Since you seem to know a lot about checkmarx and vulnerabilities, i'm want to ask you something else. I did face some Path Traversal Vulnerabilities and i tried to fix that by replacing the director separator char but the warning is still displayed in the scan after calling the following piece of code : public static string NormalizePath(string path) { return Path.GetFullPath(new Uri(path).LocalPath) .TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar) .ToUpperInvariant(); } – Arn.adg Jan 20 '22 at 21:07
  • I suggest looking at this answer: https://stackoverflow.com/a/65695963/14795243 – NathanL Jan 21 '22 at 17:41