Category Archives: Xss

[RESOLVED] Textbox entering <xxx> results in error

Hello

I never knew that there was something like when you enter <xx> in the textbox it gives the error, so my question is how can i avoid this kind of problem? and how can i avoid this error? I cant say to ppl do not enter this in textbox who know what ppl can do, so it is better to make sure you wont get error cuz of this.

Anyone idea how to solve this issue

Thanks 

read this article to learn about the built-in request validation and how to disable it.

http://www.asp.net/learn/whitepapers/request-validation 

note that if you disable the built-in request validation, then you may be exposing your site to the possibility of an xss attack.  you can implement other protections to mitigate xss atacks such as an antixss library: http://www.microsoft.com/downloads/en/details.aspx?familyid=051EE83C-5CCF-48ED-8463-02F56A6BFC09&displaylang=en

 

Dear friend ,

set the top line of your page like this,

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" ValidateRequest="false" %>

bu be careful because this action will make your website prone for xss attack. Formore explanation you should use htmlEncode to increase the security and constrain input as follow:

 

 

StringBuilder htmlBuilder =

new StringBuilder(

HttpUtility.HtmlEncode(

commentInput.Text));

// Now selectively reenable the HTML

// we wish to support.

htmlBuilder.Replace("&lt;b&gt;", "<b>");

htmlBuilder.Replace("&lt;/b&gt;", "</b>");

htmlBuilder.Replace("&lt;i&gt;", "<i>");

htmlBuilder.Replace("&lt;/i&gt;", "</i>");

 

 

 

I dont think this idea of disabling ValidateRequest is a good idea...but anyways as you requested mike gave you the answer...

and in case you are using .net greater than 2.0, then use requestValidationMode=2.0 in web.config...

Thanks.

Yeah i need a best solution to solve this, i dont want to solve this issue with lowering the website defence.

So yeah ...   

shkipper

Yeah i need a best solution to solve this, i dont want to solve this issue with lowering the website defence.

if you wish to keep ValidateRequest enabled, then you might try adding javascript at the client to prevent the users from entering the characters > and <.  Those two characters trigger the validation error.

Note that it is possible to turn off the built-in requestValidation and still maintain your defenses.  But turning off the built-in defense means that you will need to add your own defensive code to prevent the possibility of xss attacks.  Not something to be taken on lightly unless you fully understand the ramifications.

Hi,

You can use javascript to replace values like "<" and ">" with &gt; and &lt; etc.. before submitting the form.. you can do this in onsubmit event of the form and use Server.HtmlDecode() at server side to decode the html tags.


-Regards,

Hello again ,I think javascript is not a good solution in this case and .net has very powerful technique named HtmlEncode. HtmlEncode  change  the <b> to

&lt;b&gt; for instance.so there is no danger anymore but new problem will come:what do you do if you want to let user enter some line of code in bold?

Ex: This is Asp.net forum

so you should use htmlbuilder and replace them as follow :

htmlBuilder.Replace("&lt;b&gt;", "<b>");

But all in all you should be careful about the input because all xss attacks which are javascript based can perform on control like texbox or...

what kind of attack it could then be if i directly replace <> with &lt, &gt

then i shouldnt be scared of anything :)  it will be safe i suppose ) 

so, if i use the htmlencode it will be allright?

In that way there is no chance for xss attack but imagine that you make the validation request false and do not replace <> with &lt, &gt

 then write in your textbox the following code let see what happen:

<script>window.alert('YOU WERE HACKED') ;</SCRIPT>

test and see the result but with that instruction that I told you there would be no problem so do not worry my friend.

Yeah i did what you said, i wrote Server.HtmlEncode(txt.Text); and im getting &gt, &lt instead of < >, and also i dont know if it should be like this but when i type <somethign> it isnt beeing sent, dont know it should be like this or not, if i type < something > (with spaces between < and word) then it does send with &lt and &gt (i checked in debug).

 Also i want to mention that i dont use htmldecode anywhere but in label i get < something > to see again, so it decodes on itself, i suppose it should be like this, or am i mistaken?

first this method is introduced from microsoft for this mean. 

then I do not understand about wha you said in terms of label please explain it more clearly?

I do not if I understood well or not,but you should Decde it by yourself as follow

for encode:

HttpUtility.HtmlEncode

for decode:

HttpUtility.HtmlDecode

Is there a difference between Server.HtmlEncode/decode and HtppUtility.HtmlEncode/Decode?

What i ment with previous question is:

I used server.htmlEncode on the textbox like this ==> string text = Server.HtmlEncode(txt.Text);

Then in the textbox i enter => Hello < everyone >

In the string text i get the next text => Hello &lt everyone &gt

Then i assign that string to label => lbl.Text=text;

On the page i see : Hello < everyone >


So what i conclude of this is that i dont need to htmldecode because i get this "<>" back without any decoding, so i suppose it happens automatically if it wouldnt happen i would see in the label "hello &lt everyone &gt

Hello my friend again,

please check this link about differences :

http://blog.diegocadenas.com/2008/03/serverhtmlencode-vs-httputilityhtmlenco.html 

[RESOLVED] submitting html through a textbox.

I know that I can htmlencode and decode server side with ASP.Net, but i've run into an issue if I want to work with some of my forms that should allow html tags when working out side of my companies network. The issue is with my companies firewall tests for cross site scripting attacks. So, now I need to encode/decode my text on the client side it would seem. What does the rest of the world use and/or do to overcome issues like this?

TIA,

Web Dev2

 

So you're saying that HttpUtility.HtmlEncode(TextBox1.Text) will encode the text in the textbox of the form on client side and not on the server side? Because I neeed to encode before it hits the web server since the firewall would catch the unencoded version and throw an error about cross site scripting....

hello,

I think the main purpose of that article is to set ValidationRequest attribute to false to by pass that error. Keep in mind that doing so will open the door to Cross-Site Scripting (XSS) vulnerability.

<%@ Page Language="C#" ValidateRequest="false"%>

Right cross site scripting is bad. I know. But how do you allow html to be put into a web from and encode/decode it on the client? I suppose it can also be checked on the server side also, as it should. I just need the text boxes to accept html and have it pass through are firewall already encoded, so that the firewall doesn't drop the call and not pass it to the web server. Kinda goes back to my question, how is the rest of the world doing this in an asp .net form? I know alot of cms's allow this to happen.

 

 

Hi,

 

You Need to literally Mention on Page Like below.

<%@ Page Language="C#" ValidateRequest="false"%>

In Addition to Ramidu's idea, we can keep the Event validation on for the safe side and then submit HtmlText in to a asp.net web page. Idea is to use JQuery to encode html in to clientside and then submit the encorded html along with the page.

    private string controlScript = @"
        function EncodeHtml(soruce) {
            var text = $(""#"" + soruce).val();
            var encodedHtml = $(""<div/>"").text(text).html();
            $(""#"" + soruce + ""Value"").val(encodedHtml);
        }
    ";
    private string instanceScript = @"
        $(document).ready(function () {{
            var controlId = ""#"" + ""{0}"" + ""Value"";
            var text = $(controlId).val();
            var encodedHtml = $(""<div/>"").text(text).html();
            $(controlId).val(encodedHtml);
        }});
    ";

Full example can be found here:

Demo page can be found here:

[RESOLVED] TinyMCE Editor with asp.net

I am new in ASP.NET. I am using TinyMCE Editor with asp.net for all my textareas, but when I submit the form, I get the error of A potential dangerous of the content in those textareas.

And I have found a solution at http://blog.tentaclesoftware.com/archive/2010/07/22/96.aspx , but I just don't know where should I apply those code to my page. Those code in this link are the solution.

Where should I put them? Please help me.

You'll need to do that in the code behind. If you are using a submit button, double click that to set up an OnClick event in code behind. Then take each html area and do your get/set or do it with a replace clause

TextBoxBodyHTML = TextBoxBodyHTML.Replace(TextBoxBodyHtml.Value, HttpUtility.HtmlDecode(TextBoxBodyHtml.Value));

If that doesn't work, simply replace the individual characters that are bad. Generally, look for SQL reserved characters like ' " < > and replace with their HTML decoded equivalents.

Here's some replace code to help get you started:

string fixval = line.Replace("\"", "");
            fixval = fixval.Replace("'", "&apos;");
            fixval = fixval.Replace("\"", "&apos;&apos;");
            fixval = fixval.Replace(" & ", " &amp; ");
            fixval = fixval.Replace("%", "&#37;");
            fixval = fixval.Replace("<", "&lt;");
            fixval = fixval.Replace(">", "&gt;");

you may also need to set ValidateRequest="false" in the page header. Also, trying sticking with HttpUtility.HtmlEncode when storing the data into a DB instead of writing your own replacement code.

But I thought setting ValidateRequest to false is a bad idea because then you introduce the risk of cross site scripting to your web application.

How difficult would it be for a hacker to place JS code into the database without that validate check in there? Very easy... All they'd need do is copy/paste a URL as a js and anytime someone opens that posting it will visit the remote site once JS is allow to run. Most users will just hit allow and not even consider the danger. Once allowed to run on the page, it won't ask again. Go here for more:

http://www.cgisecurity.com/xss-faq.html

bbcompent1

But I thought setting ValidateRequest to false is a bad idea because then you introduce the risk of cross site scripting to your web application.

 

it is, but a lot of those rich text editors don't work unless you do.

also, wouldn't parameterized statements and htmlencode prevent any javascript from being rendered when added to a db and loaded into a textbox? the data would be displayed as "<script> blah blahblah </script>" and not executed.

That would make sense. However our "friends" are always comign up with new methods of exploiting unknown vulnerabilities. True?

bbcompent1

However our "friends" are always comign up with new methods of exploiting unknown vulnerabilities. True?

Very sad truth :)

[RESOLVED] ValidateRequest Issue

Hi, i have an aspx page on which there is a search text box & value is passed through queryString to Search.aspx on which the search results are displayed in grid. Now, if i enter a value like "<test/>" in it then it shows "potentially dangerous request.form...." exception.

One solution to this problem is to set ValidateRequest="false" but is there any other solution because i need to keep validateRequest = true

I also tried server.UrlEncode but it doen't work untill i set ValidateRequest = "false" on my page. Also is there any way to set ValidateRequest for masterPage or do we need to set in web.config only.

Any help would be appreciated.

You can use regular expressions to validate/invalidate the text box. Try this

<asp:ValidationSummary runat="server" ID="summary" ValidationGroup="my_search_validation"
            ForeColor="Red" />
        <asp:TextBox runat="server" ID="my_textbox"></asp:TextBox>
        <asp:RegularExpressionValidator runat="server" ID="my_regex" ControlToValidate="my_textbox"
            ErrorMessage="my_error_message" Text="my_text" ValidationExpression="^[A-Za-z0-9]{0,100}$"
            ValidationGroup="my_search_validation"></asp:RegularExpressionValidator>

On your second question, you can set ValidateRequest variable to true or false in the Page directive on the top of your aspx page.

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="default.aspx.cs" ValidateRequest="false" Inherits="Web_Tester._default" %>

Hi,

Any time you are accepting input from a user textbox, asp.net will try and protect your site from people trying to put html/javascript into your page to prevent someone putting js bombs or cookie stealing scripts into your pages.

If you are going to allow someone to put html/javascript into a box, then you must disable the validaterequest on the page that will accept it and then validate (very aggressively) that malicious code isn't getting into your pages.

An alternative is to look at maybe using a JS library to Url Encode the data once it has been entered, but you still have the situation that the data may be malicious and should be aggressively screened.

Regards

Si

You can use javasript (onblur event) to modify the text on the javascript. This should avoid the error.

function Change()

{

document.getElementById('<%= TextBox1.CliendID').value = <%= Server.HtmlEncode(TextBox1.Text) %>;

}

thanks for the help. by using javascript on the page for validation  and turning ValidateRequest  = false the problem on the page is solved . Another issue is that i have a master page and the want to turn off the validateRequest on master page, so is it possible or do we need to set the validateRequest to false in web.config.

As greatbear posted that we can turn the validateRequest attribute on the page but in the similar way can we do this for master page.

Thanks again for all the replies.

Hi,

jitendra.25

As greatbear posted that we can turn the validateRequest attribute on the page but in the similar way can we do this for master page.

According to your description ,as far as I know the request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks.The request validation was enabled by default,if you want to turn off the validateRequest on master page,you can add ValidateRequest="false" to the content page like this:

<%@ Page Title="" Language="C#" MasterPageFile="~/MasterPage.master" ValidateRequest="false" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="MasterPageValidateMode_Default" %>

jitendra.25

so is it possible or do we need to set the validateRequest to false in web.config.

To disable request validation for your application, you must modify or create a Web.config file for your application and set the validateRequest attribute of the <pages /> section to false:

<configuration>
   <system.web>
      <pages validateRequest="false" />
   </system.web>
</configuration>

However ,I would like to suggest you to make sure that when request validation is disabled, content can be submitted to your application; it is the responsibility of the application developer to ensure that content is properly encoded or processed.

Please check the link below for more information:

Request Validation - Preventing Script Attacks

Hope it can help you.

thanks for all the replies.