Report Parameters provide flexibility for the overall report design and execution.
However, this same flexibility can, in some cases be used by an attacker in luring
attacks. To mitigate the risk of inadvertently running malicious scripts, only open
rendered reports from trusted sources. It is recommended you consider the
following scenario that is a potential HTML Renderer script injection attack:
1. A report contains a text box with the hyperlink action set to the value
of a parameter which could contain malicious text.
2. The report is published to a report server or otherwise made available
in such a way that the report parameter value can be controlled from
the URL of a web page.
3. An attacker creates a link to the web page or report server specifying
the value of the parameter in the form "javascript:<malicious script
here>" and sends that link to someone else in a luring attack.
Regards,
Hossein Karimi
AX,365,NAV(tutorials: tips and tricks)
Tuesday, July 31, 2018
Report Parameters and Script Injection
+10 years of experience with hands-on lead-level background in the full life cycle of software development with demonstrated cross-functional team leadership skills.
Programming:
• ERP :Microsoft Dynamics AX 2012
• Language :X++, C#, C++, XAML, Asp.Net, Html, VB.Net, Android
• Environment : Windows XP, Windows 8, Windows 10, Windows Server
• DataBase : Oracle 9i,10g,11g and SqlServer and SQLlite
Subscribe to:
Post Comments (Atom)
-
In Reporting Services, reports and resources are processed under the security identity of the user who is running the report. If the report ...
-
The below select query will give the both the Sales Line record count and the sum of sales quantity. static void Test_Data(Args _args) ... -
To integrate Microsoft Dynamics AX and Analysis Services, you must connect Analysis Services to the Application Object Server (AOS). To do s...
No comments:
Post a Comment