I have a legacy ASP.Net site (recently upgraded to .NET 4.0) which never had Request Validation turned on and it doesn't Html encode any user input at all.
My solution was to turn on request validation and to catch the HttpRequestValidationException in Global.asax and redirect the user to an error page. I don't Html Encode the user input as I'll have to do it in thousands of places. I hope my approach will stop any XSS vectors getting saved into database.
However, in case if there is already any XSS vector stored in database I reckon I should also Html encode all output. Unfortunately I have very limited dev and test resource to successfully achieve this. I came up with a list of changes I need to go through:
Search and Replace all <%= %> with <%: %>.
Search and Replace all Labels with Literals and add Mode="Encode".
Wrap all eval() with HtmlEncode.
My questions are:
Is there any simpler way of turning on all output to be automatically Html encoded?
Am I missing anything from above list?
Any pitfalls I should be careful about?
Thanks.
Search and Replace all <%= %> with <%: %>.
Don't forget the <%# and Response.Write which will be harder to replace
Search and Replace all Labels with Literals and add Mode="Encode".
But you will loose all formatting on the previously generated spans, break the DOM
and the corresponding js/css
You would also have to search all Literals with Mode="PassThrough" and set them to Encode
Wrap all eval() with HtmlEncode.
Yes, it seems like a subset of the <%# matter above
Also, you could have some custom controls with funky render method
Assuming there is "only" a relational DB as back-end, If I had access to the DB, I would first go on identifying the problematic tables and columns which values contain markup.
I would then :
cleanup as best as I can those values in DB.
ensure HtmlEncoding of the corresponding outputs in my pages
I could then go for a basic global replace <%= becoming <%: and sanitize outputs on the long run.
Related
After the research published showing that .aspx routes are vulnerable to reflected XSS, what is the recommended alternative to using Page.ResolveUrl or Control.ResolveUrl? The linked article doesn't suggest any mitigations.
Summary of the linked research:
For .aspx pages (not MVC), even if you don't have cookieless sessions enabled, ASP.NET still parses those "special" URL formats such http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx
it includes them in the page output whenever you use ResolveUrl.
Thus it creates an attack vector where a call like ResolveUrl( "~/Images/logo.png" ) will inject content of the attacker's choice into your page output, e.g.
/(S("onerror="alert`1`"))/Images/logo.png`
I've posted one possible answer below but am looking for better ideas.
Note that ResolveClientUrl is not a direct replacement since it generates a relative Url, e.g. ../Images/logo.png unlike ResolveUrl which generates a root Url e.g. /myapp/Images/logo.png
One approach is to use HttpRuntime.AppDomainAppVirtualPath instead of the special tilde syntax. So the example from above...
Instead of:
ResolveUrl( "~/Images/logo.png" )
We would have:
HttpRuntime.AppDomainAppVirtualPath.TrimEnd( '/' ) + "/Images/logo.png"
Slightly less concise but seems to accomplish the same thing without invoking the ancient "cookieless" route parsing.
Use ResolveClientUrl instead of ResolveUrl.
ResolveClientUrl will not allow XSS.
I have a controller which generates a string containing html markup. When it displays on views, it is displayed as a simple string containing all tags.
I tried to use an Html helper to encode/decode to display it properly, but it is not working.
string str= "seeker has applied to Job floated by you.</br>";
On my views,
#Html.Encode(str)
You are close you want to use #Html.Raw(str)
#Html.Encode takes strings and ensures that all the special characters are handled properly. These include characters like spaces.
You should be using IHtmlString instead:
IHtmlString str = new HtmlString("seeker has applied to Job floated by you.</br>");
Whenever you have model properties or variables that need to hold HTML, I feel this is generally a better practice. First of all, it is a bit cleaner. For example:
#Html.Raw(str)
Compared to:
#str
Also, I also think it's a bit safer vs. using #Html.Raw(), as the concern of whether your data is HTML is kept in your controller. In an environment where you have front-end vs. back-end developers, your back-end developers may be more in tune with what data can hold HTML values, thus keeping this concern in the back-end (controller).
I generally try to avoid using Html.Raw() whenever possible.
One other thing worth noting, is I'm not sure where you're assigning str, but a few things that concern me with how you may be implementing this.
First, this should be done in a controller, regardless of your solution (IHtmlString or Html.Raw). You should avoid any logic like this in your view, as it doesn't really belong there.
Additionally, you should be using your ViewModel for getting values to your view (and again, ideally using IHtmlString as the property type). Seeing something like #Html.Encode(str) is a little concerning, unless you were doing this just to simplify your example.
you can use
#Html.Raw(str)
See MSDN for more
Returns markup that is not HTML encoded.
This method wraps HTML markup using the IHtmlString class, which
renders unencoded HTML.
I had a similar problem with HTML input fields in MVC. The web paged only showed the first keyword of the field.
Example: input field: "The quick brown fox" Displayed value: "The"
The resolution was to put the variable in quotes in the value statement as follows:
<input class="ParmInput" type="text" id="respondingRangerUnit" name="respondingRangerUnit"
onchange="validateInteger(this.value)" value="#ViewBag.respondingRangerUnit">
I had a similar problem recently, and google landed me here, so I put this answer here in case others land here as well, for completeness.
I noticed that when I had badly formatted html, I was actually having all my html tags stripped out, with just the non-tag content remaining. I particularly had a table with a missing opening table tag, and then all my html tags from the entire string where ripped out completely.
So, if the above doesn't work, and you're still scratching your head, then also check you html for being valid.
I notice even after I got it working, MVC was adding tbody tags where I had none. This tells me there is clean up happening (MVC 5), and that when it can't happen, it strips out all/some tags.
I have a string that contains valid html tags like <table> or <br/> and that is displayed in a tooltip including database. Security team considers this a a critical issue as this could allow xss attacks from a user that would insert an <script> alert(...)
Everywhere on the web, I'm told to use HttpUtility.HtmlEncode(). Problem is that this is also encoding my valid tag.
What I'm looking for and I can't find is a RegEx that would allow me to filter xss injections without stripping my valid html tags.
Does something like this exist?
Should be pretty simple, Html Encode the entire thing, then use regex to replace all instances of <table> with <table> etc. An example regex would be "<(\/?(table|span|p|br|tr|td|th|thead|tbody|tfoot|b|i)\s*\\?)>" and replace with "<\1>"
That should get you pretty close. Of course it won't allow complex tags, like <table id=...> etc, but you will have to decide if that's a requirement or not. Or use a markdown editor instead.
I have purposfully (for testing) assigned the following variable in WebMatrix C#:
string val = "<script type='text/javascript'>alert('XSS Vector')</script>";
Later in the page I have used razor to write that value directly to the page.
<p>
#val
</p>
It writes the text, but in a safe manner (i.e., no alert scripts run)
This, coupled with the fact that if 'val' contains an html entity (e.g., <) it also writes exactly "<" and not "<" as I would expect the page to render.
Is this because C# runs first, then html is rendered?
More importantly, is using razor in this fashion a suitable replacement for html encoding, when used like this?
The #Variable syntax will HtmlEncode any text you pass to it; hence you seeing literally what you set to the string value. You are correct in that this is for XSS protection. It is part of Razor that does this; the #Variable syntax itself.
So basically, using the #Variable syntax is not so much a 'replacement' for Html Encoding; it is HTML encoding.
Related: If you ever want some string to render the HTML, you would use this syntax in Razor:
#Html.Raw(Variable)
That causes the Html Encoding not to be done. Obviously, this is dangerous to do with user-supplied input.
so I've been running into some problems where in various parts of my website I'm developing, I'm displaying some logs that contain < and > symbols in various spots. Well when I display the log it works fine. Of course anytime I navigate away I get an error of:
A potentially dangerous Request.Form value was detected from the client ...
Now I understand it's because < and > are html special characters which I get. But, is there any way to disable or somehow allow the page to display / process those? I know I could strip those characters out of anyplace they may appear, but I'd rather not if I don't have to.
Any suggestions?
You didn't post any code, so I will assume you want something along the lines of:
<textbox><</textbox>
It's simple really, HTML encode your content:
<textbox><</textbox>
You can use HttpUtility.HtmlEncode to do this.
Replace ">" with ">" and "<" with "<"
Read this see a list of HTMLs special entities
If you simply want your web application to allow form input to contain potentially dangerous characters there are a few ways to do this depending on framework. I mostly use MVC myself, where you use the [ValidateInput(false)] attribute on your controller actions.
For WebForms, I'll direct you here instead.. http://msdn.microsoft.com/en-us/library/ie/bt244wbb.aspx :)
to answer your question put ValidateRequest="false" in <%#Page...
be careful, as you are now responsible for prevent script attacks