Currently when trying to submit transaction that contain dropdown that has text containg angular bracket as e.g. "<abcd>", I'm getting 500 internal server error since ValidateRequest=true by default and throws unhandled exception before it reached to page handler since its Cross site scripting problem.
Is there a way to intercept and modify request object in HttpModule or Glabal.asax since I know Request object is readonly.
I've been breaking head for almost three days but not able to get a concrete solution.
What would be the best solution to handle these kind of scenarios. Also I don't want to encode it in client side.
Encode the value in the listbox :
<asp:ListItem><abcd></asp:ListItem>
[Edit] I realize my solution does not apply. The content is probably sent encoded by the browser, and is render encoded too by the drop down list (if you use standard databinding). I think your only option is to disable the validation of the request.
This implies you have to very careful on user input. To be simple, Encode every user input with HttpUtility.HtmlEncode(txtXX.Text);.
More on this in the Script Exploits Overview page of MSDN.
Use HttpUtility.HtmlEncode and HttpUtility.HtmlDecode to solve this problem..
you can put html encoded text in the control or use these methods as per your requirement( Between Events)
Follow these SO thread...
HttpUtility.HtmlEncode to validate user entries
w3c validation error in asp.net
If you can disable validation then follow these
asp.net: Invalid postback or callback argument
Check MSDN for Script Exploits
I prefer to use Microsoft Anti-Cross Site Scripting Library V4.0 as it provides many helper functions to encode HTML, HtmlAttribute, JavaScript, URL, XML to restrict any cross site attacks.
Related
I run my application with VERACODE tool but I got struggling with some issues.
One of the issue which I face is Improper Neutralization of the Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80).
This happens in many screens in my application.
In the following particular line:
NewDivButton.Style["display"] = SearchParameters.NewDivButtonVisibility;
Does anyone have any suggestion on how to fix this issue?
Welcome Manikandan. The best answer to this question would involve knowledge of the language/framework you're using if you could share that?
One thing to note, is that there are many things you could do that would make the warning "go away", but wouldn't make your app any more secure. For that reason, it's best to understand the core of the problem, and then apply the standard fix for the language/framework you're working in. If in doubt, check with a security professional.
In general, XSS is a set of issues where you (potentially) render user input as part of your output.
In this example if I send you a link that says yoursite.com?NewDivButtonVisibility=">SendYourPrivateInfoSomewhereBad();
If you click a link like this, and the site blindly inserts the script into the page, it could steal data.
The best protection is often to validate input, only allowing known-valid input through.
Another common approach is to HTML-encode the unknown value being displayed. However, more care is needed depending on where the output is rendered (e.g. if already within a script tag)
There's much more general information on this type of issue here: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#cross-site-scripting-prevention-cheat-sheet
I want to create an Asp.net Website and I want to prevent Cross Site Scripting. I have a page with Summernote (a WYSIWYG HTML Editor), which, when submittet, posts HTML Code to MVC ActionResult via form or Ajax Post.
This Method saves this Code in my Database as content/body of a message. On another Site, you can display the content, which shows formating things like Lists etc.
Because of security reasons i want to filter the content i recieve from client. I am using the AntiXSS Library from Microsoft.
A part of my MVC Code:
[ValidateInput(false), HttpPost, ValidateAntiForgeryToken]
public ActionResult CreateMessage(string subject, string body)
{
var cleanBody = Sanitizer.GetSafeHtmlFragment(body);
//do the Database thing here
}
The major problem is, that it kills my HTML Elements with tag, because it removes the src=""
should be:
<p><img src="data:image/png;base64,some/ultra/long/picture/code/here" data-filename="grafik.png"></p>
remaining:
<p><img src="" alt=""><img src=""></p>
What can i do to prevent this?
Is there a way to add an exception rule?
Is there an another better way?
How does it work?
Thanks for help!
There is no such thing anymore as the "AntiXSS Library". It used to be a separate library, but Microsoft moved it into .Net, so it's now under System.Web.Security.AntiXss.
The reason this is important is that you need a sanitizer. The way you are using AntiXss currently will take a list of html tags and a list of attributes to those tags, and will remove everything else from your html code. That's not very good for you, because you only want to remove javascript, regardless of tags or attributes. Let's take for example <a>, with its href attribute. You most probably want to allow your users to insert links, but you don't want them to be able to insert javascript via <a href="javascript: ...">. So you cannot filter out href for <a>, but if you leave it, your page will be vulnerable to XSS.
So you want a sanitizer that only removes javascript. In the original AntiXSS library there was a sanitizer, but when Microsoft moved it to .Net, the sanitizer was left out.
So in short, AntiXss will not help you with your current usecase.
You can find proper html sanitizers like for example Google Caja (client-side sanitizer here), or many others. The point is, even if this sanitizer is in javascript (on the client), if you carefully don't insert your data into the page DOM before sanitizing it, it will all be fine.
So in short, you could just save any data from the HTML editor to your database as is without any transformation (mind sql injection of course, but current data access technologies should have that covered), and then when such data is displayed, send it to the client without adding it to the page dom (like as json data for example, but properly encoded for json then of course!), then run your sanitizer that will remove any javascript, and then add it to the page.
The reason this is very good is because your wysiwyg html editor will likely have a preview screen. Don't forget to add sanitization to previews as well, otherwise the preview will be vulnerable to XSS. If sanitization was on the server, you would have to send the editor contents to the server, sanitize it and send it back to your user for preview - not very user-friendly.
Also note that many wysiwyg editors support hooking into their rendering and adding such a sanitizer. If an editor does not support this and does not have its own sanitizer, that cannot be made secure with regard to XSS.
I have seen this on some survey websites. What is the C# code they use on the client side to keep the URL same, but when clicking the "Next" button, the same aspx page is maintained
without having any query string;
without any change even a character in the url; and
the grid, the data , the content, the questions keep changing?
Can anyone give a code-wise example how to achieve this?
My main query is how is this done in code-behind to change data of page and maintain same url.
Nothing simpler that a session, maintainted at the server side. Store a "current question number" in session, increment it at each succesfull postback and you have what you ask about.
Another possibility - a cookie which contains "current question number".
Both cookie and session are invisible in the query string of course.
"change data of page and maintain same url." Answer is Server.Transfer.
This method will preserve url.
The Next button may submit a form using the HTTP POST method. The form data may contain the session, question and response data. The site uses that to build a new response. Unlike a GET, a POST does not incorporate data into the URL.
Developers will typically accomplish this task by using AJAX. The basic premise behind it is that only a certain portion of the page (e.g. a grid or content area) will make a server call and retrieve the results (using Javascript). The effect achieved is that there has not been a full post back, which is why you don't see the URL or parameters changing.
It is possible to do this using jQuery, pure Javascript, or Microsoft's UpdatePanel.
oleksii's comment has some good links as well:
That's the AJAX magic. There are many JQuery plugings for this, for
example this one with a live demo. You can also program it easily
using JQuery Get or Post or any other wrapper that use XmlHttpRequest
object.
I have a bunch of parameters that I need to pass onto a second page via request headers. At first I tried via JS but I found out that that's impossible (please correct me if I'm wrong here).
So now I'm trying to do it in the code-behind (via C#). I want to write a bunch of custom request headers and call Response.Redirect or something similar to redirect user to the new page.
Is this possible? If so what methods do I have to use?
Edit: unfortunately using QS parameters is not an option here as it's out of my control.
Use a Server.Transfer("somepage.aspx?parameter1=value");
There is no client redirect then.
You can try setting the headers and do a Server.Transfer - I believe that will work to - up to you, but using the querystring is a bit more readable to me and doesn't show up in the clients browser.
you need to look at state in .net their are various ways to achive state.. in a stateless environment.
i would put it in the session object on page one.. read it on page 2...
create a session object on code behind page 1
read from session object on page 2.
or if you read the msdn state documenation on request paramters this will show you the options avliable.
JS dont worry about doing tricky stuff with it.. mostly trickey is wrong.
Excuse my limited knoweldge here.
In the past I have used Steve Sanderson's method to HTML encode by default at runtime: http://blog.stevensanderson.com/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/
I have a need to alter img src and a href attributes before they are spat out in the user's browser. There is a solution using JavaScript but this is not ideal for several reasons. Intercepting the compiler is not an option because of unnecessarily using Response.Write for trivial HTML.
Is there something I can do with HTTP modules or the view engine?
Any thoughts?
UPDATE: I do not need to HTML encode the attributes but I do have a need to change them.
Cheers.
Use a response filter. Works with any ASP.NET project, including MVC. Should work even if you're using a different view engine, as it intercepts at a lower level.
Here's an actual example that strips whitespace:
https://web.archive.org/web/20211029043851/https://www.4guysfromrolla.com/articles/120308-1.aspx
I've used this before to rewrite links before sending to the client, but I can't find the code at the moment.