0

I have made an ASP.NET (fw 3.5) site and wanted to check if it is vulnerable.

I accept input from a textbox and save it in the database and then display it later on another page dynamically.

If i try to enter <script>...</script>, or anything with < and > for that matter, my global.asax catches the exception and I get the message A potentially dangerous Request.Form value was detected from the client (TextBox1="<b> asd</b> ").

I then tried this: &ltscript&gt$(window).load(function(){alert('hello');});&lt/script&gt and this got inserted in the db same way but renders on the page as <script>$(window).load(function(){alert('hello');});</script>.

I do not, however, get an alert box. The script gets printed as it is on the page. The HTML rendered is:

<td style="font-size: 16px;" colspan="2"><script>$(window).load(function(){alert('hello');});</script></td>

My question is, why is this script not executing? I mean, it is a great thing, as I was reading about cross side scripting attacks and wanted to make my site secure, and that is how it is behaving now, but I don't understand why it is not as I really haven't coded anything to stop such attacks.

Thanks in advance.

Improve this question
5
  • 1
    Chances are, it is being rendered as &ltscript&gt$(window).load(function(){alert('hello');});&lt/script&gt and it's the browser showing it decoded. How did you view the source of the page? Commented Feb 5, 2013 at 5:58
  • According to my understanding... Javascript block is not loaded yet.thats why it is not triggering the alert.. Commented Feb 5, 2013 at 6:04
  • @FloydPink using Chrome debugger tools.. Commented Feb 5, 2013 at 6:51
  • Can you check how it shows up using good old right click and view source? As I mentioned it could still be rendered as HTML encoded. Commented Feb 5, 2013 at 7:03
  • @FloydPink &amp;ltscript&amp;gt$(window).load(function(){alert('did this work?');});&amp;lt/script&amp;gt You were right, it is being HTML encoded.. Commented Feb 5, 2013 at 8:02

1 Answer 1

Reset to default
2

ASP.NET Webforms by default has Request Validation enabled, which is why you get the exception. When you enter it to avoid request validation, it is getting interpreted as html entities, which does not get interpreted as javascript.

In other words, html entities are a way of escaping html tags so that you can render html reserved characters without them being interpreted as html. (Similar to "\n" for newline, etc.)

By default, many WebForms controls automatically Html encode their text values, which also protects against xss, but if you disable Request Validation, you must ensure that the data from the database is html encoded prior to being output to the browser (which is good practice anyway).

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I'm not disabling Request Validation anywhere. Also, since HTML entities do not get interpreted as HTML, why do I need to HTML encode it? I mean I know it is to prevent scripts but since its already being taken care of while the data is inputted, how is my site vulnerable that I need to take care of by HTML encoding my output on the page?
I know you're not disabling request validation. What I mean is that when you entered &ltscript&gt$ you were essentially html encoding it yourself, which means that Request Validation did not flag it as dangerous.
If you disable request validation you must ensure that you html encode. Html encoding is a good practice anyway, because it ensures that data coming from your database (or wherever) gets shown as just that-data, and that it cannot inadvertently be interpreted as html or javascript. For example if you load data from a file that doesn't go through request validation - that could become another attack vector. Or, if you allow entering of mathematics equations such as "a<b" then html encoding would ensure that the equation was displayed correctly rather than being interpreted as broken html.
okay, I think I understand now. Thanks. Any pointers as to where I can read up more on web attacks and how I can block them will be very helpful.
The OWASP top ten is a good place to start: owasp.org/index.php/Category:OWASP_Top_Ten_Project

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.