Solved

Validating names that could contain <> symbols ie potentially malicious javascript

Posted on 2013-10-31
8
335 Views
Last Modified: 2013-10-31
One of my GUIs was giving a message “A potentially dangerous Request. Form value was detected from the client”
This is because names can contain <> characters.
To stop this message one can add ValidateRequest="false” to web.config.
This leaves the application vulnerable to malicious input eg

http://www.thegeekstuff.com/2012/02/xss-attack-examples/

If the GUI converts <> to escape characters the stored procedure will need to convert them back, so I could still get malicious javascript when the browser displays the name.

The only consolation I can think of is that the name is limited to 90 characters.  How long would a string of javascript need to be to act maliciously?

This link gives some tags to look out for, but is not exhaustive.  

http://msdn.microsoft.com/en-us/library/ff649310.aspx
Any suggestions?  I'm using visual studio 2008 with asp.net 3.5 - C#
0
Comment
Question by:AlHal2
  • 4
  • 3
8 Comments
 
LVL 74

Expert Comment

by:käµfm³d 👽
Comment Utility
If the GUI converts <> to escape characters the stored procedure will need to convert them back, so I could still get malicious javascript when the browser displays the name.
That's exactly what you should do. If you need to display these characters in an application that is something not a web browser, then yes, you will need to convert them back to regular brackets, but at that point you're not really concerned about XSS. AFAIK, all modern browsers will display HTML-encoded entities without issue, so storing them that way makes sense.
0
 
LVL 82

Expert Comment

by:leakim971
Comment Utility
How long would a string of javascript need to be to act maliciously?

size of imagination
don't take any risk
0
 

Author Comment

by:AlHal2
Comment Utility
Thanks Leakim971.

Kaufmed,

I need to display these names in a web browser.

You say "but at that point you're not really concerned about XSS"
Why not?  
If I'm really not concerned with XSS at that stage then why convert to escape characters at all?
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
Comment Utility
You say "but at that point you're not really concerned about XSS"
Why not?
You're missing a bit of context:

If you need to display these characters in an application that is something not a web browser...but at that point you're not really concerned about XSS.

If I'm really not concerned with XSS at that stage then why convert to escape characters at all?
A browser will display HTML-encoded entities as the regular text equivalent. Such text won't be interpreted as, say, a <script> tag by the browser--it will be literal text. So if you HTML-encoded the brackets in your database:

&lt;script&gt;

Then you will not have a script tag once it hits the browser, you will have text that says <script>.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 74

Expert Comment

by:käµfm³d 👽
Comment Utility
See for yourself:

Screenshot
0
 

Author Comment

by:AlHal2
Comment Utility
Sorry for being slow, but are you saying we should store the names with escape characters in the database itself?   The browser will then display the names with <>?
0
 
LVL 74

Accepted Solution

by:
käµfm³d   👽 earned 500 total points
Comment Utility
Yes.
0
 

Author Closing Comment

by:AlHal2
Comment Utility
thanks.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Library to convert HTML to PDF. 8 42
Chat Room 1 22
addressing a specific html page 9 19
XML & .net 5 14
Introduction Hi all and welcome to my first article on Experts Exchange. A while ago, someone asked me if i could do some tutorials on object oriented programming. I decided to do them on C#. Now you may ask me, why's that? Well, one of the re…
Article by: DanRollins
This article describes a JavaScript program that creates a maze made of hexagonal cells.  In Part 2 (http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/A_7850-Hex-Maze-Part-2.html), we'll extend the program by adding a depth-…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now