Control Compliance Suite

Hi,

Can Symantec Control Compliance Suite Vulnerability Manager check whether the fields under attack are request scoped of session scoped before reporting such fields as problematic fields?

Based on my understanding the XSS can be injected into URLs and input parameters (such as text boxes/hidden fields) on the forms. The XSS attacks are harmful if they affect some other user sessions. If the XSS characters can be injected only in current users session do we need to worry about safeguarding the application in such scenarios? For e.g.-

1. I have a few request scoped hidden fields in my form. An attacker can use some tool and change the data in those hidden fields. If those fields do not hold any sensitive information and changing them doesn’t impact my business functionality do I need to take care of revalidating the data on server side?

2. Some of the hidden fields contain forward/error URLs which application uses to decide what page to render next. All these fields are again request scoped. In case someone changes those URLs, they will affect only the current user's session. If application is secured in order to not allow session hijacking, do I need to worry about the attacks which can be caused by changing the destination URLs in hidden parameters?

Thanks & Regards

Rupali

1- Yes, any form data, hidden or not, should be validated.

2- The user may receive by mail a malicious URL pointing to your application, with bad parameters, and if the user is already logged in your application when he clicks on the URL, something bad may be injected in your app.