Hello all,
Firstly, thank you for taking the time to read this question. Its a problem that has been driving me crazy for some time.
Can anyone tell me why the following form post causes an XSS issue?
<html xmlns:java="http://xml.apache.org/xslt/java">
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script language="javascript">function submitForm()
{
document.forms["formAribaPoomResponse"].submit();
}</script>
</head>
<body onload="javascript:submitForm()">
<FORM id="formAribaPoomResponse" METHOD="POST" ACTION="http://training.removedeu.nmcorp.removed.biz/removed-UAT/DisplayModules/TradeModules/Procurement/Create Order/BuildRequisition.aspx?Type=opex&SessionID=97479551-2a25-4aa5-a2b9-ae25bd9e6aba&UsersName=removed&ApplicationInstanceID=38569c4f-dcfa-4d1b-b391-e0c93949e639&Culture=en-GB&BrandingPath=Default&ControlToLoad=punchout&supplierName=&SupplierID=44fcd865-4ff4-4dcb-900c-ab57fe6075e7">
<INPUT TYPE="HIDDEN" NAME="cxml-urlencoded" VALUE="<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE cXML SYSTEM "http://xml.cxml.org/schemas/cXML/1.2.008/cXML.dtd"><cXML
xml:lang="en-US" timestamp="10/14/2015 10:38:27 AM" payloadID="20722480-151f-491b-ab91-f86a896712b5">
<Header>
<From>
<Credential domain="DUNS">
<Identity>removed</Identity>
</Credential>
</From>
<To>
<Credential domain="DUNS">
<Identity>removed</Identity>
</Credential>
</To>
<Sender>
<Credential domain="DUNS">
<Identity>removed</Identity>
</Credential>
<UserAgent>removed</UserAgent>
</Sender>
</Header>
<Message>
<PunchOutOrderMessage>
<BuyerCookie>1AK40Y9SC4P6W</BuyerCookie>
<PunchOutOrderMessageHeader operationAllowed="edit">
<Total>
<Money currency="EUR">1,955.94</Money>
</Total>
<ShipTo>
<Address>
<Name xml:lang="en">BARCLAYS:default</Name>
<PostalAddress><DeliverTo>ATTN: </DeliverTo><Street>Please enter your address</Street><City/><State/><PostalCode/><Country
isoCountryCode="GBR">UNITED KINGDOM</Country></PostalAddress>
</Address>
</ShipTo>
<Shipping>
<Money currency="EUR"/>
<Description xml:lang="en"/>
</Shipping>
</PunchOutOrderMessageHeader>
<ItemIn quantity="2">
<ItemID>
<SupplierPartID>NGB141S</SupplierPartID>
<SupplierPartAuxiliaryID>BrandAd</SupplierPartAuxiliaryID>
</ItemID>
<ItemDetail>
<UnitPrice>
<Money currency="EUR">46.67</Money>
</UnitPrice>
<Description xml:lang="en">
product
</Description>
<UnitOfMeasure>EA</UnitOfMeasure>
<Classification domain="UNSPSC">80141605</Classification>
</ItemDetail>
</ItemIn>
<ItemIn quantity="2">
<ItemID>
<SupplierPartID>NGB141M</SupplierPartID>
<SupplierPartAuxiliaryID>BrandAd</SupplierPartAuxiliaryID>
</ItemID>
<ItemDetail>
<UnitPrice>
<Money currency="EUR">46.67</Money>
</UnitPrice>
<Description xml:lang="en">
product
</Description>
<UnitOfMeasure>EA</UnitOfMeasure>
<Classification domain="UNSPSC">80141605</Classification>
</ItemDetail>
</ItemIn>
<ItemIn quantity="2">
<ItemID>
<SupplierPartID>NGB141L</SupplierPartID>
<SupplierPartAuxiliaryID>BrandAd</SupplierPartAuxiliaryID>
</ItemID>
<ItemDetail>
<UnitPrice>
<Money currency="EUR">46.67</Money>
</UnitPrice>
<Description xml:lang="en">
product
</Description>
<UnitOfMeasure>EA</UnitOfMeasure>
<Classification domain="UNSPSC">80141605</Classification>
</ItemDetail>
</ItemIn>
<ItemIn quantity="2">
<ItemID>
<SupplierPartID>NGB141XL</SupplierPartID>
<SupplierPartAuxiliaryID>BrandAd</SupplierPartAuxiliaryID>
</ItemID>
<ItemDetail>
<UnitPrice>
<Money currency="EUR">46.67</Money>
</UnitPrice>
<Description xml:lang="en">
product
</Description>
<UnitOfMeasure>EA</UnitOfMeasure>
<Classification domain="UNSPSC">80141605</Classification>
</ItemDetail>
</ItemIn>
<ItemIn quantity="2">
<ItemID>
<SupplierPartID>NGB141XXL</SupplierPartID>
<SupplierPartAuxiliaryID>BrandAd</SupplierPartAuxiliaryID>
</ItemID>
<ItemDetail>
<UnitPrice>
<Money currency="EUR">46.67</Money>
</UnitPrice>
<Description xml:lang="en">
product
</Description>
<UnitOfMeasure>EA</UnitOfMeasure>
<Classification domain="UNSPSC">80141605</Classification>
</ItemDetail>
</ItemIn>
<ItemIn quantity="2">
<ItemID>
<SupplierPartID>NGB141XXXL</SupplierPartID>
<SupplierPartAuxiliaryID>BrandAd</SupplierPartAuxiliaryID>
</ItemID>
<ItemDetail>
<UnitPrice>
<Money currency="EUR">46.67</Money>
</UnitPrice>
<Description xml:lang="en">
product
</Description>
<UnitOfMeasure>EA</UnitOfMeasure>
<Classification domain="UNSPSC">80141605</Classification>
</ItemDetail>
</ItemIn>
<ItemIn quantity="10">
<ItemID>
<SupplierPartID>NIS011P</SupplierPartID>
<SupplierPartAuxiliaryID>BrandAd</SupplierPartAuxiliaryID>
</ItemID>
<ItemDetail>
<UnitPrice>
<Money currency="EUR">6.25</Money>
</UnitPrice>
<Description xml:lang="en">
Rhin Ballpen (pks of 25)
</Description>
<UnitOfMeasure>EA</UnitOfMeasure>
<Classification domain="UNSPSC">80141605</Classification>
</ItemDetail>
</ItemIn>
<ItemIn quantity="5">
<ItemID>
<SupplierPartID>NIS012P</SupplierPartID>
<SupplierPartAuxiliaryID>BrandAd</SupplierPartAuxiliaryID>
</ItemID>
<ItemDetail>
<UnitPrice>
<Money currency="EUR">158.50</Money>
</UnitPrice>
<Description xml:lang="en">
Mini USB Memory Stick 8Gb (pk25)
</Description>
<UnitOfMeasure>EA</UnitOfMeasure>
<Classification domain="UNSPSC">80141605</Classification>
</ItemDetail>
</ItemIn>
<ItemIn quantity="10">
<ItemID>
<SupplierPartID>*UCL023</SupplierPartID>
<SupplierPartAuxiliaryID>BrandAd</SupplierPartAuxiliaryID>
</ItemID>
<ItemDetail>
<UnitPrice>
<Money currency="EUR">19.75</Money>
</UnitPrice>
<Description xml:lang="en">
Squid Mini Powerbank
</Description>
<UnitOfMeasure>EA</UnitOfMeasure>
<Classification domain="UNSPSC">80141605</Classification>
</ItemDetail>
</ItemIn>
<ItemIn quantity="10">
<ItemID>
<SupplierPartID>LMP1003</SupplierPartID>
<SupplierPartAuxiliaryID>BrandAd</SupplierPartAuxiliaryID>
</ItemID>
<ItemDetail>
<UnitPrice>
<Money currency="EUR">34.34</Money>
</UnitPrice>
<Description xml:lang="en">
LMP1 1:43 Scale Model
</Description>
<UnitOfMeasure>EA</UnitOfMeasure>
<Classification domain="UNSPSC">80141605</Classification>
</ItemDetail>
</ItemIn>
</PunchOutOrderMessage>
</Message>
</cXML>">
</FORM>
</body>
</html>
If we post a order message to IE with less than 9 items etc then XSS is not invoked.
This is a valid post and the only workaround should not just be whitelisting and disabling xss
Any help would be highly appreciated!
Thanks,
Z