Cross Site Scripting Through URL - asp-classic

I have been told to find a fix to Cross Site Scripting (XSS) in some of my bank old .asp pages.
I did some research on the subject, but I didn't find an answer to my problem. It's the first time I heard about XSS and the first time I am looking at ASP (although the page has nothing but HTML) and I haven't been into web design for about 2 years now, so I am very very rusty.
So for example, I have this form
<form method="POST" id="CH" name="CH" action="http://some_url/some.asp">
<input type="hidden" name="srv" value="1" ID="srv"/>
<TABLE border="0" cellpadding="0" cellspacing="0" width="100%" align="center">
<TR valign="top">
<TR>
<TD align="center">Input something here
<input name="input_something" type="text" class="field-no-fit" maxlength="12" value="">
</TD>
</TR>
</TR>
</TABLE>
</form>
If I manually input the URL (which contains this form) as
http://this_url/this.asp?1=%22%3E%3Cscript%3Ealert%28HelloWorld%29%3C/script%3E%3Cimg%20alt=%22%22%20src=%22
the page will load and then it will throw a javascript alert and display an error image.
My goal is to stop scripts from running when opening the page.
I read about Server.HTMLEncode but can't find a way to use it to stop the script from running at page load.
Thanks in advance!
EDIT: Will I be able, at least partially, to work around it if I replace the input's value with:
"<%= Server.HTMLEncode(Request("input_something"))%>"
I cannot test it, since, currently, I have no access to IE6, and all the other browsers (including IE>6 versions) avoid the error (already disabled XSS Filter in the Security tab, but it does not work)

i do not think that has anything to do with the browser?
you obviously write the content of a querystring parameter directly on your page like so:
<%=Request.QueryString("1")%>
that is bad.
as you already have found out you should use
server.htmlencode( Request.QueryString("1") )
everywhere on your pages where you write user input directly on the page.
that should do the trick
also have a look here

(I do not know much about ASP) You may be able get an easy fix by enabling ASP request validation. As with any behaviour changes, a number of things can break on other pages (although this would be surprising), so test the the change first. See Step 1 in http://msdn.microsoft.com/en-us/library/bb355989.aspx
Your server is filling in all tags on the page, including the hidden "srv" input, from URL parameters, with no filtering for HTML tags, which then get pasted into the page. You can limit this form to respond to POST only, not GET method, then your example attack will not work. This is probably the easiest and most harmless fix.
Finally, look if you can set cookie attribute for whatever cookie is used to track sessions to HTTPOnly.
A very long read on all possible measures you can use is at http://msdn.microsoft.com/en-us/library/ms998274.aspx

Related

What is the porper way to get user input in ASP.NET?

Should I use ASP elements with a runat="server" attribute or an HTML form?
It seems like using ASP tags such as <asp:TextBox> is much more comfortable since I don't have to redirect the user to another page on a form submition, but also from what I've seen, it seemed like HTML forms are the more accepted way. I was starting to wonder if using ASP elements increases server load or has any other disadvantage?
In case I should use ASP elements, how do I validate the input with Javascript before sending it to the server?
In case I should use HTML forms, how do I not redirect the user on submition and also not run the server code on page load?
You can easily use the HTML5 input type in Web Forms by adding the runat="server" attribute, so that it can be accessed on the server-side:
<label for="name">Name:</label>
<input type="text" id="name" name="name" required
minlength="4" maxlength="8" size="10" runat="server">
Note, on the server-side you will access it via the Value property of the input element, not with the Text property of a typical ASP.NET textbox control.
Contrary to what a lot of people think, ViewState only ever becomes a problem when people do silly things like nesting data-bound controls, in which case it can become bloated very quickly.
Not sure what you're asking regarding validation... but you still have options like this on both client and server. If you're working with an existing Web Forms project, I would stick with regular ASP.NET controls and keep it simple. This way, you can have out-of-the-box validation on both client and server.

from asp to asp.net

Is it posible to convert an ASP app to ASP.NET? I prefer to work with Visual Studio, in ASP.NET rather than just ASP. I need to do this because I'm stuck trying to watch an ASP page, as I don´t know how to work with ASP, I'm trying to see the code of ASP (classic ASP) in Visual Studio, maybe I need to make some changes, but I don´t know what the changes are. I did several changes in my app, like put a button to select and unselect checkboxes, but I can´t see any change or image, this way to works is different that the way I'm use to it, well,it's supossed this code works, (the problem is I can´t see any change):
<td align="center" colspan="3">
<input type="button" name="btn_seleccionar_todo" value="Seleccionar todo" onclick="javascript:marcar(this.form);">
</td>
<td align="center" colspan="3">
<input type="button" name="btn_desseleccionar_todo" value="Seleccionar todo" onclick="javascript:desmarcar(this.form);">
</td>
function marcar()
{
for (i=0;i<form.usuarios.options.length;i++)
{
form.usuarios.options[i].checked=true;
}
}
function desmarcar()
{
for(i=0;i<form.usuarios.options.length;i++)
{
form.usuarios.options[i].checked=false;
}
}
Switching fundamental technologies is a huge undertaking and not to be taken lightly. You definitely shouldn't approach it as a simple translation of VBScript into C#... you need to rewrite the entire thing using the newly selected technology idiomatically. Its like using Google translate to communicate via email or chat with someone who speaks a different language - it could work, but not really very well.

Is it possible to 'turn off' indentation in asp.net controls?

When I use built-in controls in asp.net I can see many tab characters added at start of each line of the generated html output. Is it possible to 'turn of' these? I'd like to get rid of this waste.
For example when I use GridView control, it generates <table> tag which looks like this:
<div>
<table>
<tr>
<th>...</th>
</tr>
<tr>
<td>...</td>
</tr>
...
</table>
</div>
But I want to see this:
<div>
<table>
<tr>
<th>...</th>
</tr>
<tr>
<td>...</td>
</tr>
...
</table>
</div>
I wonder who designed this silly stuff. Although it is "just a few bytes", it sends many unneeded waste over internet if you look at it from a long time period point of view. (I understand that indentation makes it more readable, but still at least those inner <th> and <td> tags are a bit too much indented.)
Or do you think I am completely wrong? [Are those tabs important for The World?]
I wonder who designed this silly stuff
Microsoft Corporation.
Or do you think I am completely wrong?
I think you are completely wrong. HTML is to be read and interpreted by browsers. You, as a developer, could use developer tools such as FireBug to inspect the actual DOM tree in a nice way. Humans/users don't give a s..t about how your HTML is indented. They look at the final product rendered by the browser and this is what you should be focusing on. Actually in production in order to optimize bandwidth you should compress your HTML and remove all white-spaces. Could be done with custom response filters.
Personally, when I write a page (I use the Repeater control, so there's a bit of a difference), I always indent my HTML. Yes, even the content within the <th> and <td> tags.
I can understand your point (especially when we talk about using gzipped and minified copies of JavaScript libraries) when you're talking about a production application that's never debugged. However, without HTML indentation, it would be incredibly difficult for me to unwind problems in my layout or errors I made when I wrote CSS or HTML properties.

Is nested <form> possible?

in a content page of an asp.net web page, i would like to include the "paypal" button "Pay Now".
So, i've a master page, and a content page.
In my content page i copy-paste paypal code.
In particular i use a "modalpopupextender" to permit my user to buy the object.
The problem is... it not work.
So my hypotheses are:
I'm not sure, but i think i can't use a nested <form action>
If not the first, maybe i can't use a <form action> into a modal popup ?
someone can suggest me an "elegant" solutions to solve this ?
Thank you ...
EDIT: in particular, what i'm trying to do is to permit to sell from a website.
I've a master page, and a content page.
Obviously in master page i've the classical "form action" .
Then i'm gone to paypal and got this code: "
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick">
<table>
<tr><td>
<input type="hidden" name="on0" value="Annuncio Premium">Annuncio Premium
</td></tr>
<tr><td>
<select name="os0">
<option value="Premium 1">Premium 1 €1,00</option>
</select>
</td></tr>
</table>
<input type="hidden" name="currency_code" value="EUR">
<input type="hidden" name="encrypted" value="-----BEGIN ">
<input type="image" src="https://www.paypal.com/it_IT/IT/i/btn/btn_paynowCC_LG.gif" border="0" name="submit" alt="PayPal - Il sistema di pagamento online più facile e sicuro!">
<img alt="" border="0" src="https://www.paypal.com/it_IT/i/scr/pixel.gif" width="1" height="1">
</form>
So i've pasted it into my content page ... as it... without changing.
In particular i've pasted it, into a panel, that will show whith a "modalpopupextender".
It works. But what it not work is when i click the paypal "Buy Now" button.
My web page don't redirect to paypal, modalpopup disappears and nothing happens.
I had this exact issue too and couldn't believe that PayPal had not provided some sort of solution for .NET developers!!
Here is how I solved it:
<asp:ImageButton ID="btnPayNow" runat="server" ImageUrl="myPayPalButton.jpg"
PostBackUrl="https://www.paypal.com/cgi-bin/webscr" OnClick="btnPayNow_Click"/>
Use an ImageButton or normal button and simply remove the form tags for the PayPal code, leave in the hidden input fields and the data will be posted to the PayPal url!
Nice and easy :)
Ps. The method 'btnPayNow_Click()' does nothing, signature exists but there is no logic in the code I have.
You are quite correct, in that you cannot nest <form>s.
Nor can you use the form action to create a popup - the action attribute is the url to which the form posts to.
You can, however, have many <form>s on the page, so long as they are not nested. Perhaps that will solve you issue.
Can you please describe exactly what you are trying to achieve? It is not clear from your question what the problem is.
If I understand the question correctly, you are trying to create a dynamic HTML popup window which contains a PayPal form. You are having problems because the popup contains a form, but the HTML for the popup is already contained within a form.
If the problem you are experiencing is what I described above, the solution is fairly simple. You need to move all of the HTML for the popup outside of the exiting form element. If you are using CSS to properly lay out your site, it should be possible to display your dynamic popup wherever you need to on the page using relative or absolute positioning. The HTML for the popup need not be contained within another form. It may also be possible (perhaps even necessary) to put the contents of the popup into an iframe, which can be submitted entirely independently from the rest of the page. The semantics of how your popup works would depend on how you need your page to function.
So, to be clear...it is not possible to nest form elements. However, it is also not necessary to accomplish your needs.
EDIT:
To improve the answer above in light of the updated question. You can have multiple content panels on a master page. It should be entirely possible to create another content panel that is outside of your form element in your master page...and place your modal popup inside of this alternative content panel. My above answer would then still apply, as you no longer have nested forms.
You are right in your first hypothese, you can't have nested form tags in a page.
You just have to put the code for the popup outside the form, you can have any number of forms in the page as long as they are not nested.
Dal's answer is correct! (not taking credit with my answer)
I had a similar issue in ASP.NET (4.0) when trying to submit data to SagePay (same as PayPal form posting). I was writing the form fields in dynamically using panels in the code-behind using
Dim Panel As New Panel
Panel.Controls.Add(New LiteralControl("My <input> controls HTML")) '1 control.add per <input> control.
MyDiv.Controls.Add(Panel)
I was writing the whole < form> dynamically also, so when it came to debugging I received no warnings regarding the issue that my entire Site.Master is within a - this is not visible from a .aspx page using the master as a template! It was quite frustrating... Until I read that you cannot have a nested < form>... There are only two alternatives to this:
1) move the form details outside the first that is within my Site.Master from the .aspx page itself. (I didn't like the idea of this, messy messy!)
2) create another control that is NOT a to post my data.
I chose the latter!
<asp:Button id="btn_payment" value="Proceed to Payment" Text="Proceed to Payment" runat="server" PostBackUrl="https://test.sagepay.com/gateway/service/vspform-register.vsp" />
The button posted to SagePay, took my dynamically generated fields (Called from the .aspx page) and as they were already within the from my Site.Master - all worked well! - I hope this helps anyone using dynamically generated HTML with forms.

ASP.Net Form send click but nothing happens

I am building a german payment provider into my site.
But when I click on "Submit", nothing happens. Can someone please help me? I think I've looked at it too much and I can't see the forest for the trees anymore...
<form method="post" action="https://www.sofortueberweisung.de/payment/start">
<input name="currency_id" type="hidden" value="EUR" />
<input name="reason_1" type="hidden" value="Zambuu" />
<input name="user_id" type="hidden" value="29593" />
<input name="project_id" type="hidden" value="80145" />
<input type="submit" value="Absenden" />
</form>
Okay, so it's a little bit unclear what I want, it seems:
I have a lot of asp-sites allready, and now I must send, however, the information that is given by the hidden inputs by post-method to the site "sofortüberweisung.de/payment/start".
However I can solve it, it's not nessecary, there is no need for a form-tag, if there is another solution (e.g. with the code behind).
So: How can I send a lot of post information (these here is only an exmaple, in the real site there are a lot more) with code and redirect it to the right site?
If the code you have provided is within a standard ASP.NET form, so that you have nested form tags, try the solutions provided to this Stack Overflow question.
If it is possible to have this page be a simple html form, that is another possible solution.
Your button needs to have the runat="server" attribute set and it might be worth doing the same on your form atttribute.
Also remember in asp.net webforms you can only have one form tag.
I've had this issue a couple of times before where when creating an HTML form inside an ASP.NET form tag, the inner form just wouldn't post out.
One solution for me was to adjust the ASP.NET form tag wrapper for that page (moving the close above the HTML tag).
Another (where I needed ASP.NET controls obove and below the HTML form) was to add an iframe, passing the parameters for the form post to the iframe URL. Using JavaScript, the iframe then used those parameters to post the form to a new window/the parent window. Probably better ways, but it worked for me.

Resources