Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PasswordRecovery Control XSS Vulnerability

Status
Not open for further replies.
jonathanx

jonathanx

Programmer
Jul 10, 2001
27
US
Hello,
I am very new to ASP.net and yet I have been given a website to maintain. One of my first tasks is to fix a Cross-site Scripting (XSS) vulnerability in the PasswordRecovery control. It seems that any user can inject JavaScript code into the PasswordRecovery text field and the browser will run it after it does a round trip to the server and back.

Any help would be greatly appreciated. (Please let me know if I need to provide any coding examples.)
 
Sort by date Sort by votes
Hi Mark,
I have added the ValidateRequest="true" property in the page declaration at the beginning of the code, but it did not seem to work. I could still inject javascript code into the PasswordRecovery control text field.

<%@ Page Language="C#" ValidateRequest="true" MasterPageFile="~/Main.master" AutoEventWireup="true" CodeFile="PasswordRecovery.aspx.cs" Inherits="_PasswordRecovery" StylesheetTheme="Basic" %>

I am now trying to use the "OnVerifyingAnswer" control property and write a method that will encode the input. I am, however, having trouble capturing the input. Am I on the right track?
 
Upvote 0 Downvote
Hi Mark, after a grueling week of trying different things with my limited knowledge of ASP.net and C#, I was able to figure out a solution, but I wanted to get an opinion on it.

I have included the following code in the Page_Load method:
passwordrecovery1.UserName = Server.HtmlEncode(passwordrecovery1.UserName.ToString());

It will basically encode the UserName input of the PasswordRecovery control thus rendering potentially dangerous Javascript injections harmless. It is probably one of many precautionary steps, but this should at the very least get the hosting security guys off my back for a while.

jonathanx
 
Upvote 0 Downvote
The ValidateRequest property should help limit script attacks, but yes you should always perform your own validation to see if values are in a format that you are expecting (and encoding the values will help as well). Here's an MSDN article that I think you will find useful:


Mark,

Darlington Web Design
Experts, Information, Ideas & Knowledge
ASP.NET Tips & Tricks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

weberm
  • Locked
  • Question
How do I make a page with multiple AJAX custom controls?
Replies
2
Views
374
weberm
weberm
Jo_Miracle
  • Locked
  • Question
Loading Dynamic XML Files In To A Tree View Web Server Control
Replies
1
Views
118
jbenson001
jbenson001
koklimabc
  • Locked
  • Question
How to change attributes value of user control in div
Replies
2
Views
96
koklimabc
koklimabc
SGLong
  • Locked
  • Question
Where Is My Control
Replies
2
Views
83
SGLong
SGLong
Adonetok
  • Locked
  • Question
Use absolute or relative for a control
Replies
0
Views
54
Adonetok
Adonetok

Part and Inventory Search

Sponsor

Back
Top