I want to avoid script injection in my already running asp.net application, so I have added
FilteredTextBoxExtender with every text box at run time on Pagebase Init event and that works perfectly, where I have defined "<>&" charters which are invalid.
I want to know all special charters which cause an issue for script injection.
Try using Server.HTMLEncode and Server.HTMLDecode.
The less-than character (<) is converted to <.
The greater-than character (>) is converted to >.
The ampersand character (&) is converted to &.
The double-quote character (") is converted to ".
Any ASCII code character whose code is greater-than or equal to 0x80 is converted to &#, where is the ASCII character value.
More details
http://msdn.microsoft.com/en-in/library/ms525347%28v=vs.90%29.aspx
Edit 1
Some SO links
ASP.NET Server.HtmlEncode Limitations
Why is Server.HtmlEncode required?
Edit 2
You can refer to this link
What characters or character combinations are invalid when ValidateRequest is set to true?
Related
According the CSS Level 3 specification, for parsing the start of an identifier, you:
Check if three code points would start an identifier
Look at the first code point:
If the first character is -, then we have a valid identifier if:
The second code point is an identifier-start code point ([a-zA-Z_] or non-ASCII).
The second code point is -.
The second and third character form a valid escape.
Otherwise, we do not have a valid identifier start. After determining if we have a valid identifier start, the only requirements to have a valid <ident-token> is we have 0 or more of any combination of the following:
Escape tokens
ASCII letters
Digits
_ or -
Non-ASCII characters
Since we do not require any characters following an identifier start token, this would suggest that -- is a valid identifier, even if never supported by any browser or framework. However, even official CSS validation services (maintained by those that design the CSS specifications) do not consider this a valid identifier. Is this merely a bug in the validation service?
Yes it's valid and it works. It's the shortest custom property (aka CSS variable) that you can define:
body {
--:red;
background:var(--);
}
Related: Can a css variable name start with a number?
The -- custom property identifier is reserved for future use, but current browsers incorrectly treat it as a valid custom property.
See also
w3c/csswg-drafts#6313
When adding data with the block call.StorageValue, the string is saved in firebase with "/" before and after the string,
There does not seem to be any block to remove it, How can I do it?
It's a normal firebase function that allows to separate the values and read them as such.
Example :
on Firebase, "\"English-EN\"" is a single value sent from the app as English-EN
and "[\"863674037411046\",\"863674037411046\",\"863674037411046\",\"863674037411046\"]" is a list of numbers sent as 863674037411046.
Try to retrieve the value with a button and to a simple label and you should see that it's displayed without the extra characters.
Source:check my app "harpokrates". I've made it as a firebase DB management demo and it uses nothing else. All values are stored as you describe and are retrieved just fine, without extra symbols or any need to trim the text.
ps:However if you do have extra symbols at some point, check your use of lists and lists of lists that might generate excessive "\" if you made a mistake somewhere. You can also use the "trim" or "split text" blocks but that would be bad practice. Finding the code error is best.
This is likely an escape character that escapes the special character " (quotation marks). This is common practice to use \ as an escape character to indicate that the next character has special meaning, in this case it is not the start or end of a string but actually part of it.
As such you can't actually remove it (just the escape character) and should consider how you got a quotation mark in the string to begin with.
You should however be able to remove the entire quotation mark \"
I'm pentesting the ASP.NET application running on Microsoft-IIS/7.5 web server and I'm sending it the following GET request parameters:
&search=aaa%20%*+,-/;<=>^|"'bbb
One of the parameters is search, where I've inputed the value that can be seen above. The value is printed in the returned response two times as follows:
The first parameter:
<input name="nn" type="text" value="aaa %* ,-/;<=>^|"'bbb" class="cc" />
Quoted parameters in the first entry are as follows:
" ==> "
' ==> '
< ==> <
I guess there's no way to break out of there, since the value is escaped and we can't input the " character right. Nevertheless, all parameters are not properly escaped, even though it's not possible to break out.
The second parameter:
<strong>aaa %* ,-/;<=>^|"'bbb</strong>
We can see that all of the characters are presented as they are, but there's a catch. After the < character there can't be any [a-zA-Z0-9] (maybe some other as well) characters, because we're probably getting blocked by the ASP.NET filters.
If we input the following:
&searchQuery=aaa<#script>alert('Hi');<#/script>bbb
We get the following output:
<strong>aaa<#script>alert('Hi');<#/script>bbb</strong>
I'm asking if you see any way to break out of the restrictions and execute arbitrary JavaScript code nevertheless?
THank you
HTML requires the tag name to immediately follow the start tag open delimiter <:
Start tags must have the following format:
The first character of a start tag must be a U+003C LESS-THAN SIGN character (<).
The next few characters of a start tag must be the element's tag name.
[…]
Anything beyond that is up to a browser’s interpretation quirks.
But there are also other tags than element tags like markup declaration tags (<!…>), processing instruction tags (<?…>) and alternative comment tags (<%…%>) that are recognized by certain browsers and allow certain hacks.
Have a look at the common XSS cheat sheets like OWASP’s XSS Filter Evasion Cheat Sheet and the HTML5 Security Cheatsheet, or some HTML fuzzers like Shazzer.
What is the default regular expression used by asp.net create user wizard?
According to the MSDN documentation, it should be something like this:
Regular Expression: #\"(?:.{7,})(?=(.*\d){1,})(?=(.*\W){1,})
Validation Message: Your password must be 7 characters long, and contain at least one number and one special character.
However, it does not work as it does not accept something like 3edc£edc, which is actually accepted when using the default create user wizard.
Any idea about how can I get this regular expression?
The error is in the ?: in (?:.{7,})(?=(.*\d){1,})(?=(.*\W){1,}) that is "consuming" the fist seven characters or more characters. It should be ?= OR you can invert the order: (?=(.*\d){1,})(?=(.*\W){1,})(?:.{7,})
Just change the order
^(?=(.*\d))(?=(.*\W)).{7,}
I additionally removed the {1,} and anchored it to the start of the string and you don't need a group around the last part
See it here on Regexr
How does one pass string contains '\' from from asp.net
server side to javascript function?
After checking parameters at client side, all '\' replaced with '' even,
replacing '\' with '%5C' at server side doesn't work.
Any idea?
\ is a special character - basically it "escapes" the character after it. Try passing \\ instead. BTW - if you're using C# you can use the # character before a string to avoid needing to pass it as a double slash, e.g.
string path = #"c:\documents\mydocuments";
I got solution for that.
parameter.Replace("\\", "\\\\") solve it.
Are you using ASP.NET to write a JavaScript string literal? ie. something like:
Page.RegisterStartupScript("foo",
"<script type='text/javascript'>"+
" var bar= '"+myBarValue+"';"+
"</script>"
);
If so, then you are embedding text inside a delimited JavaScript string literal and you must use an escaping scheme that follows the syntax for string literals. In particular any \ character inside the text must be escaped with \\, and any ' character must be replaced by \', since that's the delimiter being used in this case (JavaScript can use either type of quote to delimit strings).
What's more if you're using an inline <script> block like in the above example, you're actually embedding text in a string literal in an HTML element, so you have to do some HTML escapes too. In particular you have to break up any </ sequences in the text, because that would end the script block. Also, in XHTML, there are no CDATA elements, so you'd also have to ampersand-escape any < or & characters in the text, except that would make it incompatible with legacy-HTML parsers. So to solve all these problems it is better to use JavaScript string literal escapes for that too, replacing < with \x3C and & with \x26.
Ideally what you would do would be to pass the simple string to a JSON encoder library, which would take care of escaping it appropriately for JavaScript. However I don't know of one for .NET that will escape the HTML for you as above, so you'd still need some replaces.