“I would like to make it clear, I am writing this report for educational purpose, I contacted HP Security-Team that already fixed the flaw.
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’).
Cross-site scripting is a type of coding vulnerability. XSS enables attackers to inject malicious into web pages viewed by other users. XSS may allow attackers to bypass access controls (suck as the same-origin policy).
How this attack works?
Cross-site scripting (XSS) vulnerabilities occur when:
What to Review
Cross-site scripting flaws can be difficult to identify and remove from a web application. The best practice to search for flaws is to perform an intense code review and search for all places where user input through an HTTP request could possibly make its way into the HTML output.
Code reviewer needs to closely review.
Web application vulnerability automated tools/scanners can help to find Cross-Site scripting flaws. They cannot find all this is way manual code reviews are important. Manual code reviews won’t catch all either but a defense in depth approach is always the best approach based on your level of risk.
Your code should filter meta-characters from user input. The admins must take appropriate measures for their web applications in order to prevent these type of attacks as these can damage you more than you expect.
All of the information mentioned here is for educational purposes and based on OWASP and MITRE, we aren’t responsible for what you do afterwards.
About the author Rafael Fontes Souza
Rafael Fontes Souza is an Information Security Professional at Cipher Intelligence Labs with focus in Penetration Testing, Vulnerability Assessment, Analysis and Mitigation.
(Security Affairs – Cross-site scripting, HP)