Forum Discussion
hatim1
Nimbostratus
NimbostratusXSS scripting / false positive
Hi all,
My ASM xss script tag (paramter) signature is falsely triggered due to the following value of a couple of parameters:
initfunc(true,false,'Mandatory Field','Value cannot exceed 9,999,999.99.','ScriptHost.Return(this.Value <= 9999999.99)','','',true,'Numeric Field',1,true,',','$',2,'.').
My question, is there a way for the web developers to avoid having such function explicitly detailed at the browser's level?
I can always disable the signature for such parameters but I would rather have the web developers change their code.
Thanks for your help
Hatim
- Hi,
It is probably possible to ask the web developers to change the code, however we can also try to help you with better configuration of that parameter on ASM, it may be very possible to reduce the risk of XSS condition to minimum with setting a few limits on the parameter itself, like length and allowed metachars or even a regexp that will describe the allowed value
Can you send us a few examples of the valid values to this parameter? 
hatim1Hi,
Thanks for the quick response.
Actually all the 13 parameters being triggered by this signature have the same value provided in this thread!
It seems to be the only value used by the web developers.
Also, any idea on how the developers would adapt their code to minimize the risk of exposure would be greatly appreciated.
Thanks
