CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Tool: WAS Messages: - A test payload generated a syntax error within the Web Application. This often points to a problem with input validation routines or lack of filters on user-supplied content. - The test successfully embedded a script in the response as part of an existing JavaScript content. When the original script is executed, the injected script will be executed as well. This means that the application is vulnerable to Cross-Site Scripting attacks. - A malicious user may be able to create a denial of service, serious error, or exploit depending on the error encountered by the Web Application. Affected Controls ASPxGridView - Hidden inputs with names ending with "DXSelInput", "DXKVInput", "CallbackState", "DXFocusedRowInput" prior to version 15.1; and the "State" suffix for newer versions. ASPxPopupControl - Hidden input with names ending with "WS" suffix prior to version 15.1 and the "State" suffix for newer versions. ASPxTabControl / ASPxPageControl - Hidden input with names ending with "ATI" suffix prior to version 15.1 and the "State" suffix for newer versions. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') #####-tool: OWASP ZAP Affected Scope: - DXScript / DXCss (Request Parameters) Resolution: This parameter (DXR.axd) is a part of the URL processed by the DevExpress Resource Handler when retrieving resources (scripts, styles, and images) from DevExpress assemblies. Moreover, our resource handler checks if the resource key specified via the URL postfix is valid and exists. It is NOT related to any database connection logic and there are NO potential vulnerability issues when manipulating this parameter outside our code. CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Affected Scope: DevExpress.Web.ASPxPivotGrid.vX.Y.dll Resolution: Posts to the input elements whose names may appear dangerous based on underlying scanner signatures. Posting potentially dangerous XSS within these inputs cannot be executed on the client side, since input raw values are validated on the server side. Theoretically, it is only possible to corrupt the state of the DevExpress ASP.NET controls between requests.