We are having issues passing through security review after running IBM Security AppScan Standard against SharePoint 2013 (with the latest security patches) site with ADFS. We are getting "Microsoft Windows MHTML CrossSite Scripting" high severity issue alert for the following URLs:
Security Risk: "It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user".
Cause: "Sanitation of hazardous characters was not performed correctly on user input"
Parameters used to pass hazardous characters: ReturnUrl and wctx.
Reasoning: The test response was found to contain the decoded payload after it was sent encoded.
Question - how should we treat, explain or fix this i