As part of our Quality Assurance and testing processes, we devote significant time and energy to locate potential security vulnerabilities within our product line and remedy them as necessary. Based on our experience with numerous web applications, we have created and continue to regularly update a Best Practices document designed to help you avoid the most common web application security pitfalls.
DevExpress ASP.NET Security Best Practices
This KB Article describes known alerts detected by security scanners/services based on associated weakness list/signatures.
We consider the alerts listed below as false vulnerabilities (refer to the explanations below for more information).
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
1. Tool: WAS
Messages:
- "A test payload generated a syntax error within the Web Application. This often points to a problem with input validation routines or lack of filters on user-supplied content."
- "The test successfully embedded a script in the response as part of an existing JavaScript content. When the original script is executed, the injected script will be executed as well. This means that the application is vulnerable to Cross-Site Scripting attacks."
- "A malicious user may be able to create a denial of service, serious error, or exploit depending on the error encountered by the Web application."
Affected Scope:
ASPxGridView (its hidden inputs whose names end with the "DXSellInput", "DXKVInput", "CallbackState", "DXFocusedRowInput" suffixes prior to version 15.1 and the "State" suffix for newer versions).
ASPxPopupControl (its hidden input whose name ends with the "WS" suffix prior to version 15.1 and the "State" suffix for newer versions).
ASPxTabControl / ASPxPageControl (its hidden input whose name ends with the "ATI" suffix prior to version 15.1 and the "State" suffix for newer versions).
ASPx<dx:ASPxGridView ID="ASPxGridView1" ...>
<dx:ASPxPopupControl ID="ASPxPopupControl1" ...>
<dx:ASPxPageControl ID="ASPxPageControl1" ...">
Prior to version 15.1:
HTML<!--ASPxGridView-->
<input type="hidden" name="ASPxGridView1$DXSelInput" id="ASPxGridView1_DXSelInput">
<input type="hidden" name="ASPxGridView1$DXKVInput" id="ASPxGridView1_DXKVInput" value="...">
<input type="hidden" name="ASPxGridView1$CallbackState" id="ASPxGridView1_CallbackState" value="...">
<input type="hidden" name="ASPxGridView1$DXFocusedRowInput" id="ASPxGridView1_DXFocusedRowInput" value="...">
HTML<!--ASPxPopupControl-->
<input type="hidden" id="ASPxPopupControl1WS" name="ASPxPopupControl1WS" value="...">
HTML<!--ASPxTabControl / ASPxPageControl-->
<input type="hidden" id="ASPxPageControl1ATI" name="ASPxPageControl1ATI" value="...">
Starting with version 15.1:
JavaScript//ASPxGridView
var dxo = new ASPxClientGridView('ASPxGridView1');
dxo.stateObject = ({...});
HTML<!--ASPxGridView-->
<input type="hidden" name="ASPxGridView1" id="ASPxGridView1_State" value="{...}">
HTML<!--ASPxPopupControl-->
<input type="hidden" name="ASPxPopupControl1State" id="ASPxPopupControl1_State" value="{...}">
HTML<!--ASPxTabControl / ASPxPageControl-->
<input type="hidden" name="ASPxPageControl1" id="ASPxPageControl1_State" value="{...}">
Resolution:
Most of the messages relate to input elements whose names may "appear" dangerous based on underlying scanner signatures. Posting potentially dangerous XSS within these inputs cannot be executed on the client side, since input raw values are validated on the server side. Theoretically, it is only possible to corrupt the state of the DevExrpess ASP.NET controls between requests.
2. Tool: Veracode
Affected Scope:
Editors with input elements (both DevExpress and standard Microsoft ASP.NET controls):
HTML<!-- ASPxComboBox -->
<table class="dxeButtonEditSys dxeButtonEdit" id="ASPxComboBox1">
...
<input class="dxeEditArea dxeEditAreaSys" id="ASPxComboBox1_I" name="ASPxComboBox1" ... type="text" autocomplete="off">
Resolution:
This warning occurs when it is possible to assign an encoded value with a script to an input element. For example, string "1234%27A-alert%2889%29%2F%2F" to the ASPxComboBox editor "<input name="ASPxComboBox1" />" . This behavior can be reproduced with standard Microsoft ASP.NET controls as well. These values cannot be executed on the client side, so this warning can be considered a false alert.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
1. Tool: OWASP ZAP
Affected Scope: DXScript / DXCss (Request Parameters)
Resolution:
This parameter (DXR.AXD) is a part of the URL processed by the DevExpress Resource Handler when retrieving resources (scripts, styles and images) from DevExpress assemblies. Moreover, our resource handler checks if the resource key specified via the URL postfix is valid and exists. It is NOT related to any database connection logic and there are NO potential vulnerability issues when manipulating this parameter outside our code
2. Tool: Veracode
Affected Scope: DevExpress.Data Library, ConnectionProviderSql's InternalExecSql, InternalGetScalar, InternalGetData methods.
Resolution:
These methods support our public API (Direct SQL Queries and Stored Procedures. The SQL command is expected to only be assigned by an application developer. As such, preventing the execution of arbitrary SQL queries is entirely and exclusively an application developer's responsibility.
The Direct SQL Queries feature supports prepared parameterized statements, which developers can use to avoid dynamically constructing SQL commands.
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Affected Scope: DevExpress.Web.ASPxPivotGrid.vX.Y.dll, System.Web.HttpResponse.AddFileDependency
Resolution:
This warning implies that a method used in the assembly writes strings into a response without additional encoding. There is only one place where user input is directly appended to the response. In certain instances, a file name (a value obtained from the client side) is written into the HTTP header of a response. However, before this occurs, the value is hashed (via a SHA256 hash algorithm) and then encoded (via a Base64 algorithm). The result is then appended to the HTTP response header.
CWE-377: Insecure Temporary File
Affected Scope: DevExpress.XtraReports.vX.Y.Web.dll, System.IO.Path.GetTempFileName
Resolution:
The GetTempFileName method is used within internal methods only. These methods do not send any information to the client. As such, there is no way to access this TEMP file from a client.
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
1. Tool: Veracode
In many instances, corresponding methods are called in scenarios not related to cryptography or does involving potential security issues (for instance, blob comparison or checksum computation).
To maintain a clean and safe codebase, we've implemented an internal hashcodehelper
class in modern versions of our .NET components. However, some scenarios still require the use of methods that Veracode treats as potentially unsafe.
1.1 Method: DevExpress.XtraRichEdit.Model.DocumentModel.CheckOpenXmlDocumentProtectionPassword(PasswordHashCodeCalculator calculator, string password)
Affected Scope: RichEdit controls for all platforms (WinForms, WPF and ASP.NET)
Resolution:
The MD5 algorithm is required by the ECMA-376 standard.
Review article 2.15.1.28 "documentProtection (Document Editing Restrictions)" of the ECMA-376 Standard - Office Open XML File Formats.
1.2 Method: DevExpress.XtraSpreadsheet.Internal.MD5Hash.CreateMD5()
Affected Scope: All products supporting export to XLS
Resolution:
The MD5 algorithm is required by the Excel Binary File Format specification.
Review article 2.3.6.1 in the Office Document Cryptography Structure specification.
1.3 Affected Scope: All products supporting export to PDF, as well as PDF Viewer controls and the PDF Document Processor library
Resolution:
The MD5 algorithm is required by the PDF specification.
Review article 7.6 (Encryption) in the Portable Document Format specification.
1.4 Method: DevExpress.Office.Crypto.CipherInfo.GetAlgorithm()
Affected Scope: All products supporting export to XLS
Resolution:
This is required for compliance with the Office Document Cryptography Structure specification (review article 2.3.4).
1.5 Affected Scope: DevExpress.Docs library System.Security.Cryptography.ICryptoTransform CreateAesCryptoTransform(string, byte[], byte[])
Resolution:
Since standard ZIP encryption scheme is weak, certain vendors use AES encryption in ECB mode for ZIP archives. Such archives should be decrypted.
1.6 Affected Scope: Devexpress.Printing.vXX.Y.Core library, PdfSignature.cs
Resolution:
Our PDF library code uses the SHA-1 algorithm. The PDF specification requires use of this algorithm. Review the 12.8 Digital Signatures section of the following document for more information: PDF specification.
CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
Tool: Veracode
Message: Improper Restriction of XML External Entity Reference ('XXE')
Methods: GetContentsList(), GetBlobsList()
Affected Scope: ASPxFileManager
Resolution:
The result of this XML is converted to FileManagerFile objects. Then, based on these objects, ASPxFileManager renders its markup. It is only possible to use this data if a threat actor has direct access to the Amazon server or other cloud provider site.
CWE-331: Insufficient Entropy
Tool: Veracode
Message: Insufficient Entropy
Methods: Next(int)
Affected Scope: ASPxCaptcha
Resolution:
This method is used in our Captcha control. Since requests take different random time and captcha image recognition takes additional time as well, we believe that this makes the entropy high enough and there is no way for the violator to predict value consequences.
CWE-201: Information Exposure Through Sent Data
Tool: Veracode
Message: Information Exposure Through Sent Data
Methods: UploadString(string data), UploadStringAsync(string, object)
Affected Scope: ASPxPivotGrid
Resolution:
Passwords and other sensitive information are not sent to the client. It all works on the server and private information can't be viewed on the client-side.
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
1. Tool: Veracode
Message: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
1.1 Methods: WriteFolderToResponse(), WriteFileToResponse()
Affected Scope: ASPxHttpHandlerModule
Resolution:
These methods check the parameter for the correct extension (i.e. '.css' or '.js'). These files are available without using this method and it is not possible to obtain other files through this methods.
1.2 Methods: CreateImageBox()
Affected Scope: ASPxSpreadsheet
Resolution:
The parameter in this method is an index to the image. This index is generated on the server side. It is not possible to obtain access to other information through this method.
CWE-316: Cleartext Storage of Sensitive Information in Memory
Classes: DevExpress.XtraRichEdit.Commands.ProtectionInfo, DevExpress.XtraRichEdit.AuthenticationOptions
Affected Scope: Devexpress.RichEdit library
Resolution:
These classes are used to work with protected documents and serve to provide information protection on unintentional changes. This information is not considered sensitive.
CWE-73: External Control of File Name or Path
1.1 Classes: DevExpress.XtraRichEdit.API.Native.Implementation.FileDocumentImageSource!ctor
Affected Scope: Devexpress.RichEdit library
Resolution:
This class is used in RichEdit's library public API
1.2 Class: DevExpress.Charts.Native.HolidaysLoader.LoadHolidaysCollection
Affected Scope: DevExpress.Charts.vXX.Y.Core.dll
Resolution:
The LoadHolidays method is a public API that allows users to import holidays from an XML file. XML content is processed safely. Since this is a public method, we cannot restrict the file path parameter in library code. This restriction should be implemented at the application level.
CWE-540: Information Exposure Through Source Code
Affected Scope: DXR.axd containing jQuery script.
Resolution:
DXR.axd files are returned by our ASPxHttpHandlerModule. They contain JavaScript, CSS and images required for component/control rendering. These resources need public access. These resources do not expose sensitive information or server-side code.
CWE-798: Use of Hard-coded Credentials
Tool: Veracode
Method: "?1?=?2??Datasource=?0??servertype=local?userid=ADSSYS?Password=?3??TrimTrailingSpaces=tru"
Affected Scope: DevExpress.Xpo.vXX.Y.dll
Resolution:
'ADSSYS' is the name of a built-in Advantage Database Server administrator account, and its use does not lead to security vulnerabilities. Sensitive information (passwords, non-built-in user names) is not hard-coded in the connection string.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Tool: Veracode
Method: HttpContext.Current.Response.Redirect
Affected Scope: GoogleDrivePersonalHelper class, OneDrivePersonalHelper class
Resolution:
The URL passed to the Redirect method is constructed from values specified on the server side. These values do not depend on user input. As such, it is not possible to initiate redirection to an external website from the end-user's side.
CWE-615: Inclusion of Sensitive Information in Source Code Comments
Tool: SecureTrust
Affected Scope: DXR.axd
Resolution:
DXR.axd files are returned by our ASPxHttpHandlerModule. They only contain static resources : JavaScript, CSS and images required for rendering DevExpress ASP.NET controls. These files do not transfer or save user information. The word "password" within these files are not used for saving or sending user passwords. They simply work with password type HTML input elements.
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Tool: Veracode
Method: System.Reflection.Assembly.LoadFile
Affected Scope: DevExpress.Web.Internal.ThemesProvider.LoadCustomThemeAssemblyByPath method
Resolution:
The LoadCustomThemeAssemblyByPath method is only executed by the ASPxThemeDeployer tool, which is used by a developer on a developer machine for extracting DevExpress theme resources for deployment within an application. This method is not used at runtime, so it cannot be affected by an intruder.
HTTP Verb Tampering
Tool: IBM Security AppScan
Affected Scope: DXR.axd (Page)
Resolution:
DXR.axd files are returned by our ASPxHttpHandlerModule. They contain JavaScript, CSS and images required for component/control rendering. These resources require public access. These resources do not expose sensitive information or server-side code.
CAPEC-7: Blind SQL Injection
1. Tool: IBM Security AppScan
Affected Scope: DXR.AXD URLs
Resolution:
These parameters are used to transfer information about JS/CSS files (required for DevExpress ASP.NET controls) between requests.
They are NOT related to any database connection logic and there are NO potential vulnerability issues when manipulating this parameter outside our code.
2. Tool: SiteLock
Messages:
- "Using the GET HTTP method, SiteLock found that : + The following resources may be vulnerable to blind SQL injection : + The 'r' parameter of the /DXR.axd CGI"
- "Using the GET HTTP method, SiteLock found that : + The following resources may be vulnerable to blind SQL injection (time based) : + The 'r' parameter of the /DXR.axd CGI"
Affected Scope: DXR.AXD URLs
Resolution:
This parameter (DXR.AXD?r=) is a part of the URL processed by the DevExpress Resource Handler when retrieving resources (scripts, styles and images) from our assemblies. Moreover, our resource handler checks if the resource key specified via the URL postfix is valid and exists. It is not related to any database connection logic and there are no potential vulnerability issues when manipulating this parameter outside our code.
CVE-2018-14498, CVE-2017-15232, CVE-2018-20330, CVE-2018-19664
Affected Scope: PdfViewer's (WinForms), PdfViewerControl's (WPF) and PdfDocumentProcessor's (Office File API) rendering engine
Resolution: The DevExpress PDF Viewer for WinForms and WPF do not use functionality related to the mentioned vulnerabilities. DevExpress components were not affected by these security issues.
Non-classified
1. Tool: Retina Web Security Scanner
Messages:
- "Quotes in attribute"
- "Unfiltered input parameter"
- "Unfiltered quote"
- "Unfiltered <a> tag with onmouseover handler"
Affected Scope: ASPxComboBox settings
Resolution:
These values can be potentially changed before posting to the server. However, they will be encoded when rendering a client-side programmatic object. Their final representation is handled by the EncodeHtml property, which is enabled by default. As a result, all rendered values/HTML entries are also encoded.
2. Tool: ASafaWeb
Messages:
- "Custom errors: Fail"
- "Request validation: Fail"
Affected Scope:
Application's configuration.
Resolution:
You should configure these options at the application level.
In certain DevExpress ASP.NET online demo apps, the Request validation option is explicitly disabled to allow entry of all possible characters.
Blind SQL Injection
Tool: IBM Security AppScan
Affected Scope:
Application Configuration - Search Panel Editors (DXSE), Filter Row Editors (DXFREditor)
Risk: It is possible to view, modify or delete database entries and tables
Causes: Sanitation of hazardous characters was not performed correctly on user input
Resolution:
"DXFREditor" and DXSE parameters are used to send Search Panel and Filter Row editor values to filter data in grid-based UI controls (GridView, TreeList, CardView, etc.)
In standard binding mode, these values are used to filter data at the component/control level. These values do not pass to the underlying database directly. We validate values at our Data Controller level before applying the filter.
In Database Server mode, the Filter Row editor values are included into the WHERE statement of a SQL query, but the values are discarded before appending to WHERE statement parameters. SQL commands inserted into these parameters can not be executed at the database level.