We are having issues passing through security review after running IBM Security AppScan Standard against SharePoint 2013 (with the latest security patches) site with ADFS. We are getting "Microsoft Windows MHTML CrossSite Scripting" high severity issue alert for the following URLs:

https://url.com/_trust/default.aspx
https://userauth.url.com/adfs/ls/
https://userauth.url.com/adfs/ls/auth/integrated/

Security Risk: "It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user".

Cause: "Sanitation of hazardous characters was not performed correctly on user input"

Parameters used to pass hazardous characters: ReturnUrl and wctx.

Reasoning: The test response was found to contain the decoded payload after it was sent encoded.

Question - how should we treat, explain or fix this i

Hi Paul, 

For this issue, I'm trying to involve someone familiar with this topic to further look at it. 

There might me some time delay. Thank you for your understanding.

Thanks

Hi Paul Shkurikhin, 

as i remember, there was a patch for the windows server 2008 r2 for this one, please have a check on this bulletin: 

http://technet.microsoft.com/en-us/security/bulletin/ms11-026

http://technet.microsoft.com/en-us/security/bulletin/ms11-037

sharepoint 2013 is different from its predecessor because its already have the XSS prevention method built-in. but it is not closed the probability that the threat is gone for good, so please to keep your sharepoint environment updated by the latest cumulative update and also this articles may help you:

http://blogs.msdn.com/b/sharepoint__cloud/archive/2012/10/15/sharepoint-2013-technical-preview-development-setup.aspx

http://sharepointchick.com/archive/2012/07/29/setting-up-your-app-domain-for-sharepoint-2013.aspx

from the links, it is the links that adfs use to authenticate, so most probably the issue is with the special characters, and as i know adfs need these special chars also because adfs is using xml, so special char such as '<' '>' are needed., so i think it is most probably by design that adfs turn off the xss protection, to handle this adfs renew and make those cookies time out, also xss protection is turned on by default as adfs control the content that it send, it will instruct the browser to not wrongly flag its contents as an xss attack so as to not interrupt the flow.

if you have a custom page perhaps you may consider this example:

http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx

for more information you may check

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

http://support.microsoft.com/kb/252985

http://www.ibm.com/developerworks/library/wa-secxss/

http://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspxor you may also report to : http://technet.microsoft.com/en-us/security/ff852094.aspx