Hi,
Can Symantec Control Compliance Suite Vulnerability Manager check whether the fields under attack are request scoped of session scoped before reporting such fields as problematic fields?
Based on my understanding the XSS can be injected into URLs and input parameters (such as text boxes/hidden fields) on the forms. The XSS attacks are harmful if they affect some other user sessions. If the XSS characters can be injected only in current users session do we need to worry about safeguarding the application in such scenarios? For e.g.-
1. I have a few request scoped hidden fields in my form. An attacker can use some tool and change the data in those hidden fields. If those fields do not hold any sensitive information and changing them doesn’t impact my business functionality do I need to take care of revalidating the data on server side?
2. Some of the hidden fields contain forward/error URLs which application uses to decide what page to render next. All these fields are again request scoped. In case someone changes those URLs, they will affect only the current user's session. If application is secured in order to not allow session hijacking, do I need to worry about the attacks which can be caused by changing the destination URLs in hidden parameters?
Thanks & Regards
Rupali