[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Validating names that could contain <> symbols ie potentially malicious javascript

Posted on 2013-10-31
8
Medium Priority
?
378 Views
Last Modified: 2013-10-31
One of my GUIs was giving a message “A potentially dangerous Request. Form value was detected from the client”
This is because names can contain <> characters.
To stop this message one can add ValidateRequest="false” to web.config.
This leaves the application vulnerable to malicious input eg

http://www.thegeekstuff.com/2012/02/xss-attack-examples/

If the GUI converts <> to escape characters the stored procedure will need to convert them back, so I could still get malicious javascript when the browser displays the name.

The only consolation I can think of is that the name is limited to 90 characters.  How long would a string of javascript need to be to act maliciously?

This link gives some tags to look out for, but is not exhaustive.  

http://msdn.microsoft.com/en-us/library/ff649310.aspx
Any suggestions?  I'm using visual studio 2008 with asp.net 3.5 - C#
0
Comment
Question by:AlHal2
  • 4
  • 3
8 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 39613800
If the GUI converts <> to escape characters the stored procedure will need to convert them back, so I could still get malicious javascript when the browser displays the name.
That's exactly what you should do. If you need to display these characters in an application that is something not a web browser, then yes, you will need to convert them back to regular brackets, but at that point you're not really concerned about XSS. AFAIK, all modern browsers will display HTML-encoded entities without issue, so storing them that way makes sense.
0
 
LVL 83

Expert Comment

by:leakim971
ID: 39613802
How long would a string of javascript need to be to act maliciously?

size of imagination
don't take any risk
0
 

Author Comment

by:AlHal2
ID: 39613817
Thanks Leakim971.

Kaufmed,

I need to display these names in a web browser.

You say "but at that point you're not really concerned about XSS"
Why not?  
If I'm really not concerned with XSS at that stage then why convert to escape characters at all?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 39613841
You say "but at that point you're not really concerned about XSS"
Why not?
You're missing a bit of context:

If you need to display these characters in an application that is something not a web browser...but at that point you're not really concerned about XSS.

If I'm really not concerned with XSS at that stage then why convert to escape characters at all?
A browser will display HTML-encoded entities as the regular text equivalent. Such text won't be interpreted as, say, a <script> tag by the browser--it will be literal text. So if you HTML-encoded the brackets in your database:

&lt;script&gt;

Then you will not have a script tag once it hits the browser, you will have text that says <script>.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 39613846
See for yourself:

Screenshot
0
 

Author Comment

by:AlHal2
ID: 39613980
Sorry for being slow, but are you saying we should store the names with escape characters in the database itself?   The browser will then display the names with <>?
0
 
LVL 75

Accepted Solution

by:
käµfm³d   👽 earned 2000 total points
ID: 39614338
Yes.
0
 

Author Closing Comment

by:AlHal2
ID: 39614400
thanks.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A while back, I ran into a situation where I was trying to use the calculated columns feature in SharePoint 2013 to do some simple math using values in two lists. Between certain data types not being accessible, and also with trying to make a one to…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Suggested Courses

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question