2

While submitting a form, in one of the fields i am inserting vulnerable characters like =cmd|'/C calc'!A0. So in security terms it is termed as CSV-injection in export functionality

I have written code like this for above error. but its not working

[WebMethod]
public static string SaveRecord(RRSOCSaving RRSOCSaving, string Indication)
{
    string strReturnId = "";
    string strAppURL = ConfigurationManager.AppSettings["AppUrl"].ToString();            
    string strmail_Content = "";

    CommonDB commonObj = new CommonDB();

    try
    {
        // Cross site scripting issue code tag..!!   

        if (commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_CODE)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.CITY)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME_LANDL_1)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME_LANDL_2)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_ASST_MANAGER_NAME)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_ASST_MANAGER_MOBNO)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_MANAGER_NAME)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.MANAGER_MOBNO)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.EMP_NEAREST_STORE)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.EMP_NEAREST_STORE_MOBNO)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.SUPERVISOR_MOBNO)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.SECURITY_SUP_NAME_STORE)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.SECURITY_SUP_MOBNO_STORE)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_NAME)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_MOBNO))
        {
            strReturnId = "Something went wrong due to malicious script attack..!!!";
        }
        else
        {
            if (RRSOCSaving.ROLE_ASSIGNED == "SLP State Head")
            {
                bool blnState1 = Array.Exists(RRSOCSaving.ASSIGNED_STATE.ToString().ToUpper().Split(','), element => element == (RRSOCSaving.STATE).ToString().ToUpper());                        

                if (blnState1)
                {
                    strmail_Content = Get_Email_Content(RRSOCSaving.STORE_CODE, RRSOCSaving.UserName, Indication, RRSOCSaving.STATE, RRSOCSaving.SITE_STORE_FORMAT, RRSOCSaving.STORE_SITENAME);
                    //  SendEmail(RRSOCSaving.UserName, RRSOCSaving.STORE_CODE, RRSOCSaving.SLP_EMAILID, ConfigurationManager.AppSettings["NHQEmail"].ToString(), strmail_Content, Indication);
                    strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving, Indication);
                }
                else
                {
                    strReturnId = "User can add data for " + RRSOCSaving.ASSIGNED_STATE + " only";
                }
            }
            else if (RRSOCSaving.ROLE_ASSIGNED == "NHQ Admin")
            {
                strmail_Content = Get_Email_Content(RRSOCSaving.STORE_CODE, RRSOCSaving.UserName, Indication, RRSOCSaving.STATE, RRSOCSaving.SITE_STORE_FORMAT, RRSOCSaving.STORE_SITENAME);
                //  SendEmail(RRSOCSaving.UserName, RRSOCSaving.STORE_CODE, RRSOCSaving.SLP_EMAILID, ConfigurationManager.AppSettings["NHQEmail"].ToString(), strmail_Content, Indication);
                strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving, Indication);
                //strReturnId = "Record Saved Succesfully";
            }
        }

        // strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving);
    }
    catch (Exception)
    {
        throw;
    }

    return strReturnId;
}

public bool HackerTextExistOrNot(string Text)
{
    bool flgValid = false;
    Regex htmltags = new Regex(@"<.*?>");
    Match chkMatch = htmltags.Match(Text);
    if (chkMatch.Success)
    {
        flgValid = true;
    }
    return flgValid;
}

Please suggest how to stop this error.

mason
  • 31,774
  • 10
  • 77
  • 121
Nad
  • 4,605
  • 11
  • 71
  • 160

1 Answers1

5

Your HackerTextExistOrNot method is checking for the existance of html tags.

You should however check if the text is starting with one of the formular triggering characters.

To protect yourself against the injection attack ensure that none of the given text begins with any of the following characters:

   Equals to ("=")

   Plus ("+")

   Minus ("-")

   At ("@")

So you can check like this:

var attackChars = new char[]{'=','+','-','@'};

if(attackChars.Contains(text[0])
{

}
Postlagerkarte
  • 6,600
  • 5
  • 33
  • 52
  • i guess you did the whitelist checking and I was doing the blaclist checking – Nad Jul 25 '19 at 12:47
  • 1
    yes its working mate, I am upvoting it for now. But i will accept it once my tester gives the approval from their end.. – Nad Jul 25 '19 at 13:09