Microsoft Windows MHTML Cross-Site Scripting and SharePoint 2013

We are having issues passing through security review after running IBM Security AppScan Standard against SharePoint 2013 (with the latest security patches) site with ADFS. We are getting "Microsoft Windows MHTML CrossSite Scripting" high severity issue alert for the following URLs:

Security Risk: "It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user".

Cause: "Sanitation of hazardous characters was not performed correctly on user input"

Parameters used to pass hazardous characters: ReturnUrl and wctx.

Reasoning: The test response was found to contain the decoded payload after it was sent encoded.

Question - how should we treat, explain or fix this i

January 9th, 2014 12:03pm

Hi Paul, 

For this issue, I'm trying to involve someone familiar with this topic to further look at it. 

There might me some time delay. Thank you for your understanding.


Free Windows Admin Tool Kit Click here and download it now
January 13th, 2014 11:40pm

Thank you! Appreciate any
January 14th, 2014 1:09am

Hi Paul Shkurikhin, 

as i remember, there was a patch for the windows server 2008 r2 for this one, please have a check on this bulletin:

sharepoint 2013 is different from its predecessor because its already have the XSS prevention method built-in. but it is not closed the probability that the threat is gone for good, so please to keep your sharepoint environment updated by the latest cumulative update and also this articles may help you:

from the links, it is the links that adfs use to authenticate, so most probably the issue is with the special characters, and as i know adfs need these special chars also because adfs is using xml, so special char such as '<' '>' are needed., so i think it is most probably by design that adfs turn off the xss protection, to handle this adfs renew and make those cookies time out, also xss protection is turned on by default as adfs control the content that it send, it will instruct the browser to not wrongly flag its contents as an xss attack so as to not interrupt the flow.

if you have a custom page perhaps you may consider this example:

for more information you may check you may also report to :

Free Windows Admin Tool Kit Click here and download it now
January 14th, 2014 6:08am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics