?
Solved

Validating names that could contain <> symbols ie potentially malicious javascript

Posted on 2013-10-31
8
Medium Priority
?
370 Views
Last Modified: 2013-10-31
One of my GUIs was giving a message “A potentially dangerous Request. Form value was detected from the client”
This is because names can contain <> characters.
To stop this message one can add ValidateRequest="false” to web.config.
This leaves the application vulnerable to malicious input eg

http://www.thegeekstuff.com/2012/02/xss-attack-examples/

If the GUI converts <> to escape characters the stored procedure will need to convert them back, so I could still get malicious javascript when the browser displays the name.

The only consolation I can think of is that the name is limited to 90 characters.  How long would a string of javascript need to be to act maliciously?

This link gives some tags to look out for, but is not exhaustive.  

http://msdn.microsoft.com/en-us/library/ff649310.aspx
Any suggestions?  I'm using visual studio 2008 with asp.net 3.5 - C#
0
Comment
Question by:AlHal2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 39613800
If the GUI converts <> to escape characters the stored procedure will need to convert them back, so I could still get malicious javascript when the browser displays the name.
That's exactly what you should do. If you need to display these characters in an application that is something not a web browser, then yes, you will need to convert them back to regular brackets, but at that point you're not really concerned about XSS. AFAIK, all modern browsers will display HTML-encoded entities without issue, so storing them that way makes sense.
0
 
LVL 82

Expert Comment

by:leakim971
ID: 39613802
How long would a string of javascript need to be to act maliciously?

size of imagination
don't take any risk
0
 

Author Comment

by:AlHal2
ID: 39613817
Thanks Leakim971.

Kaufmed,

I need to display these names in a web browser.

You say "but at that point you're not really concerned about XSS"
Why not?  
If I'm really not concerned with XSS at that stage then why convert to escape characters at all?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 39613841
You say "but at that point you're not really concerned about XSS"
Why not?
You're missing a bit of context:

If you need to display these characters in an application that is something not a web browser...but at that point you're not really concerned about XSS.

If I'm really not concerned with XSS at that stage then why convert to escape characters at all?
A browser will display HTML-encoded entities as the regular text equivalent. Such text won't be interpreted as, say, a <script> tag by the browser--it will be literal text. So if you HTML-encoded the brackets in your database:

&lt;script&gt;

Then you will not have a script tag once it hits the browser, you will have text that says <script>.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 39613846
See for yourself:

Screenshot
0
 

Author Comment

by:AlHal2
ID: 39613980
Sorry for being slow, but are you saying we should store the names with escape characters in the database itself?   The browser will then display the names with <>?
0
 
LVL 75

Accepted Solution

by:
käµfm³d   👽 earned 2000 total points
ID: 39614338
Yes.
0
 

Author Closing Comment

by:AlHal2
ID: 39614400
thanks.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Having worked on larger scale sites, we found out that you are bound to look at more scalable solutions to integrating widgets, code snippets or complete applications and mesh them into functional sites, in any given composition. To share some of…
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question