1

I'm current trying to secure my site from XSS attacks in the Url. For example if the attacker is using Firefox they can do the following 

myxsssite.com/mypage.aspx?d"><script class="none&>alert(1);</script clas="none&><!--=1

And the script will be run. I've been searching around for a couple days now and can't seem to find a solution that works. Currently I've tried the AntiXSS library from MS. I don't think it's working correctly I'm encoding the whole url like so

Mircosoft.Security.Application.Encoder.HtmlEncode(path);

I've tried all the other methods in this class as well and the script is still being executed before the page loads. I'm using ASP.net 3.5 with Webforms, and I can't upgrade.

eskers
  • 104
  • 1
  • 10
  • https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001) – MethodMan Jul 14 '16 at 18:46
  • To provide a complete answer, it's necessary to see where and how exactly you're using the encoded value. – Michael Liu Jul 14 '16 at 19:17
  • The encoded path is then sent to app.Context.RewritePath, which returns to the Init method of the IHttpModule class. – eskers Jul 14 '16 at 19:24
  • XSS only occurs when you insert malicious content into a Web page. Where is this occurring? – Michael Liu Jul 14 '16 at 19:47
  • as stated in the initial question, it's occurring in the firefox url. – eskers Jul 14 '16 at 20:07
  • XSS doesn't "occur" in a URL; by itself, JavaScript in a URL isn't an XSS vulnerability. XSS occurs only when some code copies malicious content from the URL into a Web page without properly encoding the content. You need to track down where in code this happens. – Michael Liu Jul 14 '16 at 21:01
  • Sorry, I'm fairly new to the .net 3.5 architecture. From my understanding so far, we have this class which inherits from the IHttpModule, we get the url, if it has query params we run it through some code that figures out where it's trying to go then we RewritePath(newUrl). It's also my understanding (which may be the issue) that after we do this we reload the page with the given "newUrl". The pen-test we had done says that this is a XSS vulnerability. – eskers Jul 15 '16 at 16:31

1 Answers1

5

https://www.microsoft.com/en-us/download/details.aspx?id=28589

they have this dll, that basically all you need to do is use the sanitize method, and if there is a change between the original value and the sanitized value that means that there might be an attempt for XSS, and you either throw it all or just use the sanitized value.

dont use any encoding method, there is a method called something with "sanitize".

EDIT: code example

val = Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(val);
val = System.Web.HttpUtility.HtmlDecode(val);

EDIT 2: https://www.nuget.org/packages/HtmlSanitizationLibrary/

the dll i am using is HtmlSanitizationLibrary.dll

bresleveloper
  • 5,940
  • 3
  • 33
  • 47
  • This is the current library I'm using, there is no sanitize method. – eskers Jul 14 '16 at 18:53
  • This is strange, I do not see the Sanitizer class, I've looked in the Assembly Explorer, Object Browser and using the auto complete. I've also tried each version of the AntiXssLibrary in my project I only have the following AntiXss, Encoder, UnicodeCharacterEncoder – eskers Jul 14 '16 at 19:14
  • you're right, the dll is HtmlSanitizationLibrary.dll, my bad, added new link – bresleveloper Jul 14 '16 at 20:15