1

How can I fix a reflected XSS client problem on ASP.Net? Can anyone help me?

The problem is below:

Reflected XSS Client

Method :

ROW:563

Private Shared Function bindSiteMenu(TSql As String) As Data.DataTable
....
563.                  DRow.Item("Sortby") =  dt1.Rows(i).Item("Sortby").ToString
564.                  dtAll.Rows.Add(DRow)
....
569.          Return dtAll

Method :

Public Shared Function FrontSiteMenuForSMap(ByVal SiteID As Long) As 
Data.DataTable

                ....
529.          Return bindSiteMenu(TSql)

Method :

Protected Sub SiteMap(SitID As Long)

    ....
    27.          Dim dt As Data.DataTable =
    SiteMenuObj.FrontSiteMenuForSMap(SitID)
    ....
    29.              SetNodes(dt, SitID, 0, 0, "")

Method :

ROW:77

Protected Sub SetNodes(ByVal dtTree As Data.DataTable, ByVal SiteID As Long,ByVal ParentId As Long, ByVal Level As Integer, ByVal TreeNumber As String)

....
33.      Protected Sub SetNodes(ByVal dtTree As Data.DataTable, ByVal
SiteID As Long, ByVal ParentId As Long, ByVal Level As Integer, ByVal
TreeNumber As String)
....
36.          rows = dtTree.Select(filterExpr)
37.          If rows.GetUpperBound(0) >= 0 Then
....
47.              For Each row In rows 
48.                  tmpParentId = row.Item("ParentId").ToString
49.                  tmpFDefaultLink = row.Item("FDefaultLink").ToString
50.                  tmpMenuTitle = row.Item("MenuTitle").ToString
51.                  tmpMenuID = row.Item("MenuID").ToString
52.                  tmpSiteID = row.Item("SiteID").ToString
53.                  tmpURL = row.Item("URL").ToString
....
71.                          Url = tmpURL
....
77.                      litF.Text = "<li " & css & "><a href=""" & Url
& """ title=""" & tmpMenuTitle & Title & """>" & tmpNumber & tmpCount &
"." & tmpMenuTitle & "</a><ol>"

Thanks for everyone's help!

Whit Waldo
  • 4,806
  • 4
  • 48
  • 70
ekrem tapan
  • 147
  • 4
  • 15
  • @CristiC777 also i dont know error is where, but when i scan with checkmark im getting this result. litf is a literal object I declared all variables – ekrem tapan Apr 20 '16 at 10:05
  • Use Breakpoints to check your variable values. ex at line 53. – CristiC777 Apr 20 '16 at 10:14
  • @CristiC777 tmpURL = row.Item("URL").ToString is blank – ekrem tapan Apr 20 '16 at 10:20
  • so in your current row the column (celll) with header/name "URL" is empty.. check why ! :) – CristiC777 Apr 20 '16 at 10:27
  • because, this page is siteMap module, then some url is blank some url is not, so if i have a blank url should be fill with "#" ? right ? – ekrem tapan Apr 20 '16 at 10:32
  • yes, or use If isNothing .. – CristiC777 Apr 20 '16 at 10:35
  • @CristiC777 thanks for your attention. i will be try – ekrem tapan Apr 20 '16 at 10:37
  • Wellcome ! :) and use google ;) – CristiC777 Apr 20 '16 at 10:40
  • google !? whats is it ? new technology ? XD.. im searching it but dont find any article about this ;) sometimes ask real people better than google :) – ekrem tapan Apr 20 '16 at 10:42