Is context.HttpContext.Request.RawUrl always a vulnerability?

Is context.HttpContext.Request.RawUrl inside a controller action a "must fix" problem?

I am trying to highlight everywhere in four .NET Applications which are exposed to XSS URL hacking.

So, it seems EVERY TIME I find the line of code:

context.HttpContext.Request.RawUrl

I need sanitize it by checking the web domains against my white list.

Is this a correct assumption, that EVERY instance of RawURL is dangerous?

Can you think of any other C# keywords I can search for while looking for vulnerabilities on the C#.NET application?

Thanks
newbiewebSr. Software EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Not really.
The raw URL is defined as the part of the URL following the domain information. In the URL string  http://www.contoso.com/articles/recent.aspx, the raw URL is  /articles/recent.aspx.
This means, you can use rawurl and do not have to care about through which address the server was called. So if your domain is already check against whitelisted before this rawurl, then you don't really need to repeat that and just escape the string in rawurl..

That said, as in all input variable, it is always to check against any active script and trust but verify the whole url (like Request.Url) to check it is indeed a whitelisted domain and non-suspicious page..  So it is not so much it is vulnerable but it is necessity to check. Same applies for any inputs parameter. Therefore instead of having to check for all such rawurl method used, maybe we can edit on its extension ...(rusty coding recalling)

If you really want the actual, raw URL, you could use the following extension method:

public static class HttpRequestExtensions
{
    public static Uri GetRawUrl(this HttpRequest request)
    {
        var httpContext = request.HttpContext;
        var requestFeature = httpContext.Features.Get<IHttpRequestFeature>();
        return new Uri(requestFeature.RawTarget);
    }
}
0
newbiewebSr. Software EngineerAuthor Commented:
I am actually looking in the C# for URL's I need to validate.

I see a function which starts with:

            var returnUrl = context.HttpContext.Request.RawUrl;

then adds returnUrl into a RouteValueDictionary. Is this  a vulnerability in my code?

I actually want the whole URL so I can check it against the white list I have already created.

How do I get the FULL Url from the Request? Or, could any malicious URL only ever be contained in the RawUrl?

Thanks.
0
btanExec ConsultantCommented:
You probably encode it before doing further processing. See example.


// Write request information to the file with HTML encoding.
sw.WriteLine(Server.HtmlEncode(Request.PhysicalApplicationPath));
sw.WriteLine(Server.HtmlEncode(Request.PhysicalPath));
sw.WriteLine(Server.HtmlEncode(Request.RawUrl));
https://msdn.microsoft.com/en-us/library/system.web.httprequest.rawurl(v=vs.110).aspx

Also the URL property of an HTTPRequest object returns a System.URI object, which also contains server name
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

newbiewebSr. Software EngineerAuthor Commented:
So, in the following code snippet:

            var returnUrl = context.HttpContext.Request.RawUrl;
            var requestAccept = context.HttpContext.Request.Headers["Accept"];
            if (requestAccept.Contains("application/json"))
            {
                base.OnAuthorization(context);
                return new HttpStatusCodeResult((int)HttpStatusCode.BadRequest, "unauthorized");
            }
            var dictionary = new RouteValueDictionary
            {
                {"controller", controller},
                {"action", action},
                {"ReturnUrl", returnUrl}
            };

Open in new window


should I replace the last line with the following:
                     {"ReturnUrl", Server.HtmlEncode(Request.RawUrl) }

Open in new window

0
btanExec ConsultantCommented:
Yes. It is advised to encode all user inputs to prevent XSS attack.
0
newbiewebSr. Software EngineerAuthor Commented:
thanks
0
newbiewebSr. Software EngineerAuthor Commented:
What is the namespace for "Server"? Or did you mean HTML Encode from a different namespace than Server?
0
btanExec ConsultantCommented:
Server is some variable belonging to the HttpUtility class, or you can call HttpUtility.HtmlEncode(myString);
https://msdn.microsoft.com/en-us/library/73z22y6h(v=vs.110).aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.