I am using the following code to add a series of calls to the body parameter of a page in asp.net:
uxBodyTag.Attributes["onbeforeunload"] +=
"ajaxRequest('UnlockQuery.ashx?QueryID=" + queryId.ToString() +
"&UserID=" + Session["UserID"].ToString() + "');";
This is being rendered as:
<body id="uxBodyTag" onbeforeunload=
"ajaxRequest('UnlockQuery.ashx?QueryID=176&UserID=11648');">
The & means my ashx page is not retrieving the correct variables - how can I stop asp.net from doing this?
EDIT:
Using
Server.UrlEncode
gives me the following:
<body id="uxBodyTag" onbeforeunload=
"ajaxRequest('UnlockQuery.ashx%3fQueryID%3d179%26UserID%3d11648')%3b">
Which is far worse.
In HTML the ampersand needs to be encoded, always, everywhere, also in attribute values (the contents of the <script> tag is the notable exception, obviously). ASP.NET does the right thing.
Attribute values will be unencoded by the browser before it actually uses them. So your onbeforeunload attribute has a literal value of:
ajaxRequest('UnlockQuery.ashx?QueryID=176&UserID=11648');
while the HTML representation needs to have the & in place of the &. The browser usually understands the ill-encoded version as well, but an SGML parser would complain about an unknown/invalid entity named &UserID.
The behaviour you are seeing with & encoded as & is the behaviour you want. By the time the text gets to your ajaxRequest function it will have been unencoded again and everything should be fine.
Related
I'm pentesting the ASP.NET application running on Microsoft-IIS/7.5 web server and I'm sending it the following GET request parameters:
&search=aaa%20%*+,-/;<=>^|"'bbb
One of the parameters is search, where I've inputed the value that can be seen above. The value is printed in the returned response two times as follows:
The first parameter:
<input name="nn" type="text" value="aaa %* ,-/;<=>^|"'bbb" class="cc" />
Quoted parameters in the first entry are as follows:
" ==> "
' ==> '
< ==> <
I guess there's no way to break out of there, since the value is escaped and we can't input the " character right. Nevertheless, all parameters are not properly escaped, even though it's not possible to break out.
The second parameter:
<strong>aaa %* ,-/;<=>^|"'bbb</strong>
We can see that all of the characters are presented as they are, but there's a catch. After the < character there can't be any [a-zA-Z0-9] (maybe some other as well) characters, because we're probably getting blocked by the ASP.NET filters.
If we input the following:
&searchQuery=aaa<#script>alert('Hi');<#/script>bbb
We get the following output:
<strong>aaa<#script>alert('Hi');<#/script>bbb</strong>
I'm asking if you see any way to break out of the restrictions and execute arbitrary JavaScript code nevertheless?
THank you
HTML requires the tag name to immediately follow the start tag open delimiter <:
Start tags must have the following format:
The first character of a start tag must be a U+003C LESS-THAN SIGN character (<).
The next few characters of a start tag must be the element's tag name.
[…]
Anything beyond that is up to a browser’s interpretation quirks.
But there are also other tags than element tags like markup declaration tags (<!…>), processing instruction tags (<?…>) and alternative comment tags (<%…%>) that are recognized by certain browsers and allow certain hacks.
Have a look at the common XSS cheat sheets like OWASP’s XSS Filter Evasion Cheat Sheet and the HTML5 Security Cheatsheet, or some HTML fuzzers like Shazzer.
I have a databound gridview that use to display pictures I fetch from a server. Im trying to set it up to create a flyout when I mouse over one of the images that enlarges the images. I have encountered a problem though when it comes to adding the attribute to the databound row.I currently have the code
e.Row.Cells(2).Attributes.Add("onmouseover", "flyoutimg.ImageUrl=""" + imgstr + """;")
However, this line of code causes me to have a problem in that the imgstr (which contains the url for the image on the server) does not get passed through into the javascript/aspx of the page. When I boot up the page I can try to mouse over things but it simpally does not work.
Ive tried to put the flyout.ImageUrl in its own string and pass that into the attribute but that does not work either. The only research I could find on this was from two years ago stating that the Attributes.Add encoded apostrophes but not quotation marks.
Any suggestions?
imgstr = dsMyName.Tables(0).Rows(0).Item("Photo").ToString
Im pulling imgstr from a server and doing a .ToString which I believe is redundant.
Try it with a single quote, as in:
e.Row.Cells(2).Attributes.Add("onmouseover", "flyoutimg.ImageUrl='" + imgstr + "';")
This is because I think what .NET does is render this:
onmouseover="flyoutimg.ImageUrl='XYZ'"
If you have double-quotes, it would get messed up thinking it was at the end of the attribute and potentially truncate the value.
Did you mean to have the double quotes?
Try this:
e.Row.Cells(2).Attributes.Add("onmouseover", "flyoutimg.ImageUrl='" + imgstr + " ';")
Notice I used a single quote which is legit HTML.
or try escaping it:
e.Row.Cells(2).Attributes.Add("onmouseover", "flyoutimg.ImageUrl=\"" + imgstr + "\";")
I have an ASP.NET page (handler) that works when called using &. However, a third party page which uses my page converts the & to "&" (ampersterand, amp;) and the page throws "Parameter is not valid." error.
I have read that parameters should be encoded with & but it seems to be causing my page to error.
.NET is converting that to ampsterstand,amp, %3
Here is more info on the problem
http://weblogs.asp.net/bleroy/archive/2009/06/05/why-is-asp-net-encoding-amp-s-in-script-urls-a-tale-of-looking-at-entirely-the-wrong-place-for-a-cause-to-a-non-existing-bug.aspx
My problem is that I'm trying to use Facebook which is converting the & to the "and amp" form and I believe that it is causing my code not to work.
This is actually the answer. Facebook was displaying the link with the encoded & which .NET will not accept. However, it was using the unencoded form. The problem was that it couldn't pull from HTTPS protocol.
Basically, AMPSTERSTAND non encoded is required as the parameter deliminator.
I've .NET webservice, which takes a encoded html-string as a parameter, decodes the string and creates a PDF from the html. I want to make a synchronous server side call to the webservice from a classic asp webpage. It works fine if use a plain text string (with no html tags), but when I send a encoded html string the webservice it seems that the string is empty when it reaches the webservice.
The webservice is working fine when I call it from client side, with both plain text string and an encoded html string.
My code looks like this:
Private Sub SaveBookHtmlToPdf(pHtml, pShopId)
Set oXMLHTTP = CreateObject("Msxml2.ServerXMLHTTP.6.0")
Dim strEnvelope
strEnvelope = "pShopId=" & pShopId & "&pEncodedHtml=" & Server.HTMLEncode(pHtml)
Call oXMLHTTP.Open("POST", "https://mydomain.dk:4430/PdfWebservice.asmx/SaveBookToPdf", false)
Call oXMLHTTP.SetRequestHeader("Content-Type","application/x-www-form-urlencoded")
Call oXMLHTTP.Send(strEnvelope)
Set oXMLHTTP = Nothing
End Sub
It smells like some kind of security issue on the server. It's working when posting a asynchronous call from the client side, but not when it comes from server side - it seems that the encoded html string is somehow not allowed in a server side call to the webservice.
Anyone who know how to solve this tricky problem?
This looks all wrong to me:
Server.HTMLEncode(pHtml)
Its quite common for developers to get confused between HTML encoding and URL encoding even though they are quite different. You are posting data that needs to be URL encoded. Hence your code should use URLEncode instead:
strEnvelope = "pShopId=" & pShopId & "&pEncodedHtml=" & Server.URLEncode(pHtml)
Edit:
One thing that URLEncode does that may not be compatible with a URLEncoded post is it converts space to "+" instead of "%20". Hence a more robust approach might be:
strEnvelope = "pShopId=" & pShopId & "&pEncodedHtml=" & Replace(Server.URLEncode(pHtml), "+", "%20")
Another issue to watch out for is that the current value of Response.CodePage will influence how the URLEncode encodes non-ASCII characters. Typically .NET does things by default in UTF-8. Hence you will also want to make sure that your Response.CodePage is set to 65001.
Response.CodePage = 65001
strEnvelope = "pShopId=" & pShopId & "&pEncodedHtml=" & Replace(Server.URLEncode(pHtml), "+", "%20")
This may or may not help but I use a handy SOAP Class for Classic ASP which solved a few problems I was having doing it manually. Your code would be something like this:
Set cSOAP = new SOAP
cSOAP.SOAP_StartRequest "https://mydomain.dk:4430/PdfWebservice.asmx", "", "SaveBookToPdf"
cSOAP.SOAP_AddParameter "pShopId", pShopId
cSOAP.SOAP_AddParameter "pEncodedHtml", Server.HTMLEncode(pHtml)
cSOAP.SOAP_SendRequest
' result = cSOAP.SOAP_GetResult("result")
You will probably need to set your namespace for it to work ("" currently), and uncomment the 'on error resume next' lines from the class to show errors.
AnthonyWJones made the point about URL encoding and HTML encoding, and the original problem being experienced is likely a combine of the two, a race condition if you will. While is was considered answered, it partially wasn't, and hopefully this answers the cause of the effect.
So, as the message get HTMLEncoded, the html entities for the tags become such '<' = '<'.
And as you may know, in URLEncoding, &'s delimit parameters; thus the first part of this data strEnvelope = "pShopId=" & pShopId & "&pEncodedHtml=" & Server.HTMLEncode(pHtml) upto the "&pEncodedHtml" bit, is fine. But then "<HTML>..." is added as the message, with unencoded &'s...and the receiving server likely is delimiting on them and basically truncating "&pEncodedHtml=" as a null assign: "&pEncodedHtml=<HTML>... ." The delimiting would be done on all &'s found in the URL.
So, as far as the server is concerned, the data for parameter &pEncodedHtml was null, and following it were now several other parameters that were considered cruft, that it likely ignored, which just happened to actually be your message.
Hope this provides additional info on issues of its like, and how to correct.
We have taken over a .NET project recently and upon looking at the db we have the following in some columns:
1) Some columns have values such as
" & etc etc
2) Some have <script> tags and other non html encoded tags
This data is displayed all over the site. When trying out HtmlEncoding on point number 1 we get the following " -> "
Obviously we are wanting to htmlencode when displaying as point 2 contains javascript which we don't want executed.
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
No there isn't.
What i would suggest is that you write a quick script that goes through the database and unencode the already encoded data. Then use something like the Microsoft AntiXSS library (tutorial here) to encode all output before it gets output to the web page. Remember that it is fine to store the data unencoded1, the danger is when you echo it back out to the end user.
Some controls already encode output using encode functionality built into the .Net framework - which is not bulletproof to XSS - you just have to either avoid using those controls or just not encode the data displayed by them. There is a FAQ question pertaining to the MS controls that encode at the bottom of the page for the first link which you should read. Also some third party control vendors encode the output of their controls, you would do yourself a favor if you test them to make sure they are not still susceptible to XSS.
1Don't forget to take steps to prevent SQL injection though!
Before applying HtmlEncode( "myText" ) use HtmlDecode method to the input text.
That way you will decode your string from:
& quot; & amp; etc etc < script>
to
" & etc etc < script>
and afterwards apply encode "from scratch".