AnsweredAssumed Answered

WAS Scan report - XSS vulnerability Issue

Question asked by K C on Apr 25, 2017
Latest reply on Apr 26, 2017 by Dave Ferguson

Hi All,


We are using QualysGuard vulnerability tool (WAS Scan) to scan our site. In WAS Scan report provided by this tool after scan - we have found XSS related issues in our site as below. 


XSS issue shown to below API call with parameters in our site: - 

https://domain/ DesktopModules /Module/API/XYZ/Method?><script>_q_q=%27)(%27</script


So to fix / identify cause behind this issue we have gone through this API call and its responses. We have found that:-


In Fiddler trace: - we are getting Html Encoded response as below after above API call: - 

  <Error><Message>No HTTP resource was found that matches the request URI https://domain/DesktopModules/Module/API/XYZ/Method?&gt;&lt;script&gt;_q_q=')('&lt;/script&gt;'.</Message></Error>


In Browser web page: - We are getting the response that is HTML decoded as below screenshot after above API call.   



In Browser Page Source: - We are getting response that is HTML Encoded as below screenshot after above API call.




So for single API call, in Fiddler trace & Browser Page Source the response is showing HTML encoded but in Browser web page HTML is decoded.


So, we have contacted the technical support team of Content Management system which we are using as base for our site.  As per them by considering the above given details / response, they are saying that browser might show you something different for readability reasons but as Fiddler & Browser page source is showing the response as HTML encoded, then this is not case of XSS issue.    


Because of this we are finding difficulties while fixing this XSS issue.


Could you please provide us more details on below queries. So it will help us to fix these issues: -

 As QualysGuard tool (WAS Scan) is showing this as XSS issue and Fiddler & Page Source are showing data HTML Encoded then how we can identify this issue as XSS issue. Want to know whether QualysGuard tool (WAS Scan) is considering HTML data rendered by browsers or considering HTML data from actual response (which we have traced in fiddler / page source)  


Could you please provide direction on above issue as early as possible?


Thanks & Regards,