Solved

Validating names that could contain <> symbols ie potentially malicious javascript

Posted on 2013-10-31
8
360 Views
Last Modified: 2013-10-31
One of my GUIs was giving a message “A potentially dangerous Request. Form value was detected from the client”
This is because names can contain <> characters.
To stop this message one can add ValidateRequest="false” to web.config.
This leaves the application vulnerable to malicious input eg

http://www.thegeekstuff.com/2012/02/xss-attack-examples/

If the GUI converts <> to escape characters the stored procedure will need to convert them back, so I could still get malicious javascript when the browser displays the name.

The only consolation I can think of is that the name is limited to 90 characters.  How long would a string of javascript need to be to act maliciously?

This link gives some tags to look out for, but is not exhaustive.  

http://msdn.microsoft.com/en-us/library/ff649310.aspx
Any suggestions?  I'm using visual studio 2008 with asp.net 3.5 - C#
0
Comment
Question by:AlHal2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 39613800
If the GUI converts <> to escape characters the stored procedure will need to convert them back, so I could still get malicious javascript when the browser displays the name.
That's exactly what you should do. If you need to display these characters in an application that is something not a web browser, then yes, you will need to convert them back to regular brackets, but at that point you're not really concerned about XSS. AFAIK, all modern browsers will display HTML-encoded entities without issue, so storing them that way makes sense.
0
 
LVL 82

Expert Comment

by:leakim971
ID: 39613802
How long would a string of javascript need to be to act maliciously?

size of imagination
don't take any risk
0
 

Author Comment

by:AlHal2
ID: 39613817
Thanks Leakim971.

Kaufmed,

I need to display these names in a web browser.

You say "but at that point you're not really concerned about XSS"
Why not?  
If I'm really not concerned with XSS at that stage then why convert to escape characters at all?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 39613841
You say "but at that point you're not really concerned about XSS"
Why not?
You're missing a bit of context:

If you need to display these characters in an application that is something not a web browser...but at that point you're not really concerned about XSS.

If I'm really not concerned with XSS at that stage then why convert to escape characters at all?
A browser will display HTML-encoded entities as the regular text equivalent. Such text won't be interpreted as, say, a <script> tag by the browser--it will be literal text. So if you HTML-encoded the brackets in your database:

&lt;script&gt;

Then you will not have a script tag once it hits the browser, you will have text that says <script>.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 39613846
See for yourself:

Screenshot
0
 

Author Comment

by:AlHal2
ID: 39613980
Sorry for being slow, but are you saying we should store the names with escape characters in the database itself?   The browser will then display the names with <>?
0
 
LVL 75

Accepted Solution

by:
käµfm³d   👽 earned 500 total points
ID: 39614338
Yes.
0
 

Author Closing Comment

by:AlHal2
ID: 39614400
thanks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question