0

We have an ASP.NET MVC site that uses UrlHelper.Action to generate URLs that are sent to the client. We have scanned our application using Veracode security platform. It has identified a problem:

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The tainted data originated from an earlier call to system_web_mvc_dll.System.Web.Mvc.UrlHelper.Action.

Our URL's do not use values from model state that may have come from the client and be tainted. They're all pretty straight forward.

Are there any vulnerabilities with UrlHelper or best practices in making sure that URLs it generates do not allow XSS injections?

Craig Celeste
  • 12,207
  • 10
  • 42
  • 49
  • You'll probably need to add some code to your question in order for us to help you. It could be a miriad of things. – SilverlightFox Dec 07 '15 at 10:02
  • Thanks SilverlightFox. Unfortunately it takes a few days for Veracode to scan our app, so it's difficult for me to boil it down to simple "this fails" code sample, because it looks so innocuous. I was kind of doing a stab in the dark in case someone knew that there was a common gotcha or something. – Craig Celeste Dec 07 '15 at 22:07
  • Complete guess here - sounds like you're not HTML encoding the output from `UrlHelper.Action` so this has been flagged up as a security flaw. Look for code that is using a function result from `UrlHelper.Action` and then outputting it to HTML. – SilverlightFox Dec 08 '15 at 09:33
  • Upon closer inspection of the Veracode results, it looks like they are identifying a public static method on a controller, which takes a Guid and returns a string as the attack vector. The method (among other things) uses UrlHelper.Action to produce a URL and return it. Could they be thinking that public methods on a controller are exposed to the world? Even if they're static and return a string (not ActionResult), and our routes do not expose it? Not considering that if they post XSS to a Guid it would fail to model bind, giving a parse error, not a XSS fail? – Craig Celeste Dec 08 '15 at 15:15
  • It could be. Although if you do have a method it will be called somewhere, so are you using the output anywhere unencoded? – SilverlightFox Dec 08 '15 at 15:16
  • We have several such helper methods. As a quirk of fate, we submitted a build to Veracode on a day after such a method was added but before it is used. So it is essentially dead code, but still listed as an attack vector. In addition we have similar methods on other classes that are not Controllers and they are not a problem. We made some changes to several of the methods and submitted a new build. We'll see what happens in a few days, I guess. – Craig Celeste Dec 08 '15 at 15:56

0 Answers0