DevExpress ASPx Controls XSS Vulnerability and SQL Injection False Positive Analysis

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Tool: WAS Messages: - A test payload generated a syntax error within the Web Application. This often indicates a problem with input validation routines or the absence of filters on user-supplied content. - The test successfully embedded a script in the response as part of existing JavaScript content. When the original script is executed, the injected script will also run. This confirms that the application is vulnerable to Cross-Site Scripting (XSS) attacks. - A malicious user may be able to cause a denial of service, trigger serious errors, or exploit the system, depending on the error encountered by the Web Application. Affected Controls ASPxGridView - Hidden inputs with names ending in "DXSelInput", "DXKVInput", "CallbackState", "DXFocusedRowInput" prior to version 15.1; and names ending with "State" suffix in newer versions. ASPxPopupControl - Hidden input with names ending in "WS" suffix prior to version 15.1; and "State" suffix in newer versions. ASPxTabControl / ASPxPageControl - Hidden input with names ending in "ATI" suffix prior to version 15.1; and "State" suffix in newer versions. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Tool: OWASP ZAP Affected Scope: - DXScript / DXCss (Request Parameters) Resolution: This parameter (DXR.axd) is part of the URL processed by the DevExpress Resource Handler when retrieving resources (scripts, styles, and images) from DevExpress assemblies. The resource handler verifies whether the resource key specified via the URL postfix is valid and exists. It is NOT related to any database connection logic, and there are NO potential vulnerability issues when manipulating this parameter outside of our code. CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Affected Scope: DevExpress.Web.ASPxPivotGrid.vX.Y.dll Resolution: Inputs are posted to elements whose names may appear dangerous based on underlying scanner signatures. However, posting potentially dangerous XSS content into these inputs cannot be executed on the client side, as raw input values are validated on the server side. Theoretically, it is only possible to corrupt the state of DevExpress ASP.NET controls between requests.

Goal Reached Thanks to every supporter — we hit 100%!

DevExpress ASPx Controls XSS Vulnerability and SQL Injection False Positive Analysis