After the research published showing that .aspx routes are vulnerable to reflected XSS, what is the recommended alternative to using Page.ResolveUrl or Control.ResolveUrl? The linked article doesn't suggest any mitigations.
Summary of the linked research:
For .aspx pages (not MVC), even if you don't have cookieless sessions enabled, ASP.NET still parses those "special" URL formats such http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx
it includes them in the page output whenever you use ResolveUrl.
Thus it creates an attack vector where a call like ResolveUrl( "~/Images/logo.png" ) will inject content of the attacker's choice into your page output, e.g.
/(S("onerror="alert`1`"))/Images/logo.png`
I've posted one possible answer below but am looking for better ideas.
Note that ResolveClientUrl is not a direct replacement since it generates a relative Url, e.g. ../Images/logo.png unlike ResolveUrl which generates a root Url e.g. /myapp/Images/logo.png
One approach is to use HttpRuntime.AppDomainAppVirtualPath instead of the special tilde syntax. So the example from above...
Instead of:
ResolveUrl( "~/Images/logo.png" )
We would have:
HttpRuntime.AppDomainAppVirtualPath.TrimEnd( '/' ) + "/Images/logo.png"
Slightly less concise but seems to accomplish the same thing without invoking the ancient "cookieless" route parsing.
Use ResolveClientUrl instead of ResolveUrl.
ResolveClientUrl will not allow XSS.
I have a URL say /Registration/GetName.aspx/?language=English
When i click on a Asp.net Button on the same Page and say Response.Redirect("CheckLoginName.aspx");
It gives me a weird URL
/Registration/GetName.aspx/CheckLoginName.aspx
What should i do
Please Help?
You should use "~/" inside your Redirect
So your code will look something like this
Response.Redirect("~/CheckLoginName.aspx");
Hope this helps
You should remove the trailing / before the query string, since it serves no purpose. Your URL should be /Registration/GetName.aspx?language=English. Another option is to have Response.Redirect("../CheckLoginName.aspx"); This should also work.
I think a solution using a relative path is better, since it is location independant. If you move these two files to another URL, there will be no need for code changes.
I'm using ASP.NET 4.5 and have the following routing rule in my Global.asax file:
RouteTable.Routes.MapPageRoute("defaultRoute", "{*value}", "~/default.aspx")
What I'm trying to accomplish is redirecting dynamically generated URLs that are formatted like this:
http://myurl.com/firstnamelastname
Here is what one might actually look like:
http://myurl.com/davemackey
My problem is that the above redirects all requests - e.g. to axd or jpg files. Now I could add exclusions for every other type of file like so:
RouteTable.Routes.Ignore("{resource}.axd/*pathInfo}")
But this would be error prone and tedious (e.g., what happens if someone adds another file type to the project?).
So, what I'd like to do is something like this:
RouteTable.Routes.MapPageRoute("defaultRoute", "{*value}(where no suffix)", "~/default.aspx")
Or, put into my clear English:
If URL does not have a suffix, then redirect using defaultRoute to ~/default.aspx
Any thoughts on how to accomplish this?
==
Update:
I found this MSDN article. It seems that using Constraints might work to implement what I am speaking of above...but I'm not exactly sure how...
==
Update 2:
I've got a passable solution for the moment. I added the following:
RouteTable.Routes.Ignore("{path}/{value}")
Since image and other files are kept in sub-directories, this forces them to be excluded. Still, I have two concerns with this
What if the path is longer than a single sub-directory, e.g. images/people/person.jpg?
What if a file is placed into the main root (shouldn't be, but it could happen) that is a jpg or etc.?
Is there any way to turn multiple paths from a DB field into separate href links?
eg:
c:\MyPath\SomeFile.pdf;c:\MyPath\AnotherFile.pdf;c:\MyPath\LastFile.pdf
I'm able to program a single path above into a link but the SQL DB I'm using could have up to 3 separate paths to files in it.
So for example I can turn this:
c:\MyPath\SomeFile.pdf
Into this link (and make it clickable):
\\1.1.1.1\c$\MyPath\SomeFile.pdf
I'm currently able to do this by creating a few variables to hold the path and the data from the field:
string UNCPath = "\\\\1.1.1.1\\c$\\";
string PathToFile = (dgv[e.ColumnIndex, e.RowIndex].Value.ToString());
System.Diagnostics.Process.Start(temp1 + temp2);
Some additional notes on the above:
I also change the colon to dollar
Of course the IP and path etc are fake
The problem is that I'm not sure what to do if the field has multiple fields.
I'm thinking a right click menu that shows all 3 (or 2 or 1) paths and make them clickable.
Or I'd have to open another form page listing them....similar to the above line.
These methods don't seem like a very good approach to me.
Is there any other decent way to do this?
I want to get title of shortcut, not file name, not description, but title.
how to get it?
I have learn to resolve its target path from here, How to resolve a .lnk in c#
but i don't find any method to get its title.
(source: ggpht.com)
(source: ggpht.com)
It sounds like you might be trying to get the title of the file the link points to, as JRL suggests.
If you're not trying to do that, I'd recommend opening up one of these .lnk files in a hex editor like XVI32. You can probably tell from there whether the Chinese name displayed is embedded in the .lnk file or is somewhere else.
If it's somewhere else, it may be an Extended File Property. There's some source code that may help with retrieving that info: Extended File Properties
If by some chance it is inside the .lnk file, I recommend looking at the Windows Shortcut Specification to get offset information and such on the location of that data.
There is a Desktop.ini hidden file in shortcuts directory, the Desktop.ini file records display strings info of shortcuts.
Desktop.ini file sample:
[LocalizedFileNames]
Windows Update.lnk=#%SystemRoot%\system32\wucltux.dll,-1
Default Programs.lnk=#%SystemRoot%\system32\sud.dll,-1
You can use the property system APIs in latest relase of Code pack:
(all the 670+ properties in the system are accesible using simple property accessors)
http://code.msdn.microsoft.com/WindowsAPICodePack
I know your current need is only limited title of lnk files. Using the above library, the sample code might look like:
ShellLink myLink = ShellObject.FromParsingName("c:\somepath\myLink.lnk");
string title = myLink.Properties.System.Title.Value;
// This is what its pointing to...
string target = myLink.Properties.System.TargetParsingPath.Value;
Please define "title". The only attributes that sound relevent are the shortcut's file name, the target's file name, and the .lnk file's description data.
Assuming you mean the title of the file the link points to, not the link itself, and that you are talking about Windows, then it's done via a feature in NTFS, alternative streams. You can access those streams using code in this article.
Looking around on creating shortcuts, looks like there's a lot of jumping through hoops with scripting objects. But am I missing something? If you have a path to the shortcut, the name should be exactly what you find in the path, not some attribute you have to look up.
Dim f As FileInfo = New FileInfo("C:\Name of shortcut.lnk")
Dim title As String = f.Name.Replace(".lnk", String.Empty)