We are currently dealing with some XSS issues in one of our ASP.NET MVC projects. I found two questions - the first one concerns the query validation pattern. An attacker can now use this security hole to remove bad content in our database.
The second problem is how we display this content, and we use the Html.DisplayTextFor method, and it seems βbrokenβ.
Just create a new MVC 3 WebApp, put it in the HomeController:
public class HomeController : Controller { public ActionResult Index() { ViewBag.Message = "<SCRIPT/XSS SRC=\"htpp://ha.ckers.org/css.js\">"; User foo = new User(); foo.Name = "<SCRIPT/XSS SRC=\"htpp://ha.ckers.org/css.js\">"; return View(bla); } public ActionResult About() { return View(); } } public class User { public string Name { get; set; } }
View:
@Html.TextBoxFor(m => m.Name) <br/> ||| <-- will be encoded @Html.Encode(ViewBag.Message)<br/> ||| <-- will be double encoded @Model.Name <br/> ||| <-- will be encoded @Html.DisplayTextFor(m => m.Name) <-- no encoding <br/> |||
DisplayTextFor output will be the whole line <script xss="" src="htpp://ha.ckers.org/css.js">
Question: error, function, or am I using it incorrectly?
Robert Muehsig
source share