Report Parameters and Script Injection

Hossein.K

6,642

Like ( 0 )

Report

Report Parameters provide flexibility for the overall report design and execution.
However, this same flexibility can, in some cases be used by an attacker in luring
attacks. To mitigate the risk of inadvertently running malicious scripts, only open
rendered reports from trusted sources. It is recommended you consider the
following scenario that is a potential HTML Renderer script injection attack:

1. A report contains a text box with the hyperlink action set to the value
of a parameter which could contain malicious text.

2. The report is published to a report server or otherwise made available
in such a way that the report parameter value can be controlled from
the URL of a web page.

3. An attacker creates a link to the web page or report server specifying
the value of the parameter in the form "javascript:<malicious script
here>" and sends that link to someone else in a luring attack.

Regards,
Hossein Karimi