No Input Sanitation Qlik Sense Penetration test
Article Number: 000060287 | Last Modified: 2018/12/05
It has been discovered during a pentest that when in QlikSense (Version September 2017) a new task is created and applied that this request can be captured in a proxytool. In the name parameter in the proxytool a script can be added which is not filtered out. According to the testers usually name parameter should not allow special character such as ', ", >, <
Qlik Sense any
There are multiple xss prevention techniques that can be deployed, not only black listing certain characters or tags.
The QlikSense proxy allows for custom headers to be added if necessary. Though more important, the test case states the script supplied does not run, which means it is not exploitable. Also worth mentioning here is that this is in the Qlik Sense Management Console, meaning that only admin privileged users have access to this page and are able to input in the tested fields (which again then cannot be executed).