Re: Potentially dangerous script - urgent!

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Dave,

Thanks for the explanation; so the regex is catching onmouseover=

The regex in 2.0 must be smarter because it does not throw an exception for
on=

Thanks for the explanation.




"Dave Bacher" wrote:

> STech,
>
> The issue would be DHTML insertion attacks.
>
> Lets say that I have forum software, and I'm prompting the user for the URL
> of a forum avatar, which I then load into the src attribute of an image
> element using string.format, like this:
> String.Format("<img src='{0}' alt='user avatar'></img>", ImageTextBox.Text)
>
> A malicious user could set ImageTextBox.Text to:
> "http://www.somesite.com/images/img.jpg'
> onload='javascript:do_something_nasty()'"
>
> When the forum image loaded, arbitrary JavaScript would run on the client.
> The client then could proceed to do something nasty.
>
> Since the events available are browser-specific (IE using one set, standards
> compliant browsers using a different set), and may change in the future,
> ASP.NET probably uses a regular expression to protect you from this (which is
> how it should do it, since if IE 8 supports more events, you don't want
> existing pages to become vulnerable).
>
>
>
> "STech" wrote:
>
> > Steven,
> >
> > Thanks for the reply. I was aware of the ValidateRequest property and do not
> > feel comfortable turning it off (security reasons).
> >
> > Could you please explain why the sequence on= is treated as potentially
> > dangerous?
> > Again, it is the sequence that is causing the exception and *not* the '='
> > character.
> >
> > Thanks.
> >
> > "Steven Cheng[MSFT]" wrote:
> >
> > > Thanks for Karl's inputs.
> > >
> > > Hi Stech,
> > >
> > > As Karl has mentioned, the ASP.NET1.x has provided the request validation
> > > feature(by default enabled) which will check the comming request data to
> > > detect whether there are dangerous script or invalid markup code in it. For
> > > example, scripts , html tags are not allowed in post data. And the one you
> > > mentioned is also treated as those scripts. If you want to disable this, we
> > > can use the "ValidateRequest " in @Page directive to disable such
> > > validation on individual page.
> > >
> > > Thanks,
> > >
> > > Steven Cheng
> > > Microsoft Online Support
> > >
> > > Get Secure! www.microsoft.com/security
> > > (This posting is provided "AS IS", with no warranties, and confers no
> > > rights.)
> > >
> > >
.

Relevant Pages

  • Re: FAQ 9.4 How do I remove HTML from a string?
    ... just for this particular FAQ. ... way it is (though an explanation of the short regexs in this one isn't ... (including a 4 page spanning regex that doesn't even use the /x ... Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers ...
    (comp.lang.perl.misc)
  • Re: FFT magnitude trouble
    ... you asked the exact same question some days ago in this same forum and ... got two different, but equivalent answers, specifying a reasonable ... explanation of the problem in different terms. ...
    (comp.dsp)
  • Re: Still alive
    ... > It has been nearly 20 months since I departed without farewell or ... > explanation from this forum. ... Through my absence, I have missed the ...
    (rec.outdoors.fishing.fly)
  • Re: Help with 7 Circuit Project?
    ... > You keep forgetting your participating in a forum ... > or no explanation, rarely offer any details, and occasionally forget your ...
    (comp.home.automation)
  • Re: why is double more efficient than float ?
    ... Simon Morgan wrote: ... which case there would no doubt be an explanation or if it was some forum he'd have posted a reply. ... something like that will lead to the misconception that double is always and in all respects better/more efficient than float. ...
    (comp.lang.c)