Due To The Presence Of Characters Known To Be Used In Cross Site Scripting Attacks?

Mar 9, 2011

where does following HTTP error message come from:

Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.

We're using dynamically generated URLs and in this specific case the URL contains the characters '<' or '>'. We do URL encode the generated URL (so '%3C' appeary instead of '<') but it doesn't Our setup is ASP.NET MVC / IIS 7.5 / IE8. It's strange but it looks like the error appears only on some machines. So it could be that the IE internet zone settings are playing a role.

View 1 Replies


Similar Messages:

Using A Web Service For Cross Site Scripting?

Feb 20, 2010

I want to pull down a feed (like twitter) and place in on a page using javascript (jquery). Ultimately, the "service" just needs to hand off JSON. I created a web service that allows me to do that, sort of. I don't know if using a stream reader is all that efficient and I was a little bothered by having to use what amounts to 2 evals on the clientside.

My question is twofold: is there a better method than using a web service and two, is there a problem with my implementation?

asmx:

[WebMethod]
public string World()
{
WebRequest request = WebRequest.Create("http://twitter.com/statuses/user_timeline/username.json?count=1");
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
StreamReader reader = new StreamReader(response.GetResponseStream());
string tmp = reader.ReadToEnd();
response.Close();
reader.Close();
return tmp;
}

aspx

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js" type="text/javascript"></script>
<script>
$(document).ready(function() {
$.ajax({
url: "WebService1.asmx/twitter",
type: "POST",
data: "{}",
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function(obj) {
var t = eval(obj.d)[0].text;
$('div').html(t);
}
})
});
</script>

View 2 Replies

Cross Site Scripting Vulnerability?

Mar 25, 2010

We recently discovered that our web app was vulnerable to cross site scripting (XSS) attacks. We managed to manipulate our inputs to produce the following HTML:

[Code]....


Which executes an alert window when clicked.

After HTMLEncoding using the AntiXSS the web app successfully encodes the output to look like this:
<a href="javascript:__doPostBack('ctl00$ContentPlaceHolder1$CtlSearchList1$CtlListView1$DataGrid1$ctl03$ctl00','')">'); onclick=alert('This
is an XSS vulernability. An attacker could do anything here (redirect to another website, virus etc)');('.txt</a>

but the alert window still fires! What am I doing wrong?

View 3 Replies

Web Forms :: HttpRequestValidationException - Handling Cross Site Scripting (XSS)?

Oct 25, 2010

this exception is caused by entering scripts or disallowed text as "<script>", "<h1>" by the user. This exception will be thrown while processing the request.

After searching and trying, most of the solutions were to:

1- disable request validation in the page header (validateRequest="false") or in the pages section in web.config.

I dont see this is a solution, the XSS problem is still there, it just does not throw the exception.

2- To encode the text and decode it using Server.HtmlEncode and Server.HtmlDecode.

This is a good one, but have to go every single textbox and call this method (Server.Encode(txtAddress.Text)), but this require alot of effort to change the whole site, and some of them may be forgotten.

I was thinking of creating a new TextBox control (MyTextBox) to inherit from System.Web.UI.WebControls.TextBox and override the Text property, then Encode base.Text in the get accessor, and Decode base.Text in the set accessor.

This will also require to change the whole site, to use MyTextBox instead of TextBox.

View 3 Replies

Security :: Prevent From Cross-Site Scripting Attack?

Oct 15, 2010

a major problem from Cross-Site ScriptingAttack, Below is sample script which automatically gets inserted into my HTML and ASPX Pages.

"<script src=http://avidmarketing.ie/images/rc3/companybuttonwhite.php ></script>"

View 5 Replies

Web Forms :: How To Prevent Cross Site Scripting In Bll Layer

Jan 21, 2010

To have a better secure application, we have to prevent cross site scripting.

I have application that use a bll.

All inputs have to pass bll before they were pass to database.

To prevent cross site scripting, is bll the correct place to validate the input?

To be exact, are all the properties of object should be validated?

View 9 Replies

Code Analysis Tool To Check Cross Site Scripting?

May 14, 2010

I am aware of a tool which MS has provided which tells you about coss site scripting attack etc.
The tool is [

But are there tools which you have used for ASP .NET applications which do similar to this and which one is widely used in ASP .Net applications ?

View 2 Replies

Legitamate Cross Site Communication?

Jul 7, 2010

I am building a website, within a large intranet, that wraps and adds functionality to another site within the same intranet. I do not have access to the other site's source and they do not provide any api's for the functionality they provide. I need to, somehow, have my server-side code go to that site, fill in some forms, then press a submit button. Is this possible? If so, how can I accomplish this?

Note: I am working in asp.NET if that matters at all.

View 4 Replies

How To Cross Site Sharing UI Without Iframe

Feb 3, 2011

we host catalog data and UI for our clients. we do not build entire web site for them. so for the time being client puts an iframe and points URL to our hosting site. it was working fine but now just because of iframe they are lossing SEO.so my question is how to achieve my goal without iframe.

1) how can i embed/inject/merge UI hosted by US to our client web site.
2) Get SEO benefits

View 1 Replies

Cross Browser - Site Mobile Phone Support?

Jan 16, 2010

I need to make my site work well on a blackberry, i haven't put too much effort into getting this working yet, but i have a few questions which google is struggling with.I've read about detecting brower type and modifying the default behaviour of asp.net controls hereHow would I go about supplying a differant stylesheet to a specific browser, should i just do this?

if (Request.Browser.Browser.ToString() == "blackberry") //pseudocode
{
Response.Write("bb.css");
}
else
{
Response.Write("bb.css");
}

This will work fine, but i feel like there is a better method, i'm sure i've read about something in the past but i can't seem to recall.I'm also considering a response.redirect to a differant page for a blackberry, which at the moment i would implemenet in a similar way.

View 5 Replies

WIF Cross-domain On One IIS Site/ Dynamically Setting Of Realm?

Nov 16, 2010

We have a lot of domains running on one IIS WebSite/AppPool.

Right now we are in the process of implementing SSO with Windows Identity Foundation.

in web.config the realm has to be set with

<wsFederation passiveRedirectEnabled="true" issuer="http://issuer.com" realm="http://realm.com" requireHttps="false" />

My problem is that the realm is dependent on which domain the user accessed the website on so what I did is that I set it in an global action filter like this

var module = context.HttpContext.ApplicationInstance.Modules["WSFederationAuthenticationModule"] as WSFederationAuthenticationModule;
module.Realm = "http://" + siteInfo.DomainName;

My question is. When I set the realm like this, is it set per user instance or application instance.

Scenario.

User A loads the page and the realm get set to domain.a.com.

User B is already logged in on domain.b.com and presses login.

Since user A loaded the page before User B pressed login, user A will hit the STS with the wrong realm set.

What will happen here?

If this is not the way to set the realm per user instance, is there another way to do it?

View 1 Replies

Web Forms :: Using Cross - Posting And Master Pages In 3.5 Site?

Jul 30, 2010

I have an interesting issue I have racked my brain trying to find a solution to.

I have a site with a single master page. Part of that master page is a text field and button. They are not part of a content placeholder, they are simply part of the master page, itself, and are intended to allow people to search the site from any page on the site.

So, all search requests are routed to a search.aspx page, regardless. I am doing this by setting the PostBackUrl attribute of the button control to "search.aspx".

This all works great, except when I try to use this search capability from the search.aspx page, itself. I figure this is because I am using the Page.PreviousPage object and since a postback from the search.aspx page, itself will result in the Page.PreviousPage being Nothing, it is not performing the proper action.

View 1 Replies

How To Find From GUI Whether Client Side Scripting Or Server Side Scripting Is Running

Mar 16, 2010

We have a GUI which runs on ASP.NET 2.0 framework (Client-Server model). From the support perspective how can one find whether the pages which are opening on GUI at any point of time is a server side scripting or Client side scripting.

The reason why I ask this is because I understand that some of the codes are executed by the browser such as Javascript. So, if there are such scripts which are handled by the client browser, how can one find out that it is the Client side scripting which is running at that moment.

View 1 Replies

Security :: In Application How To Stop Cross Site Request Forgery

Jun 15, 2010

I am using asp.net 3.5 and have validateRequest="true" in the machine.config.

Do I need to do something special to stop CSRF and Cross Site scripting or asp.net will handle all these?

View 1 Replies

ADO.NET :: Determining Presence Of Specific Value

Feb 10, 2011

I am unsure how to quickly check a set of returned values for a specific value. Given the following:

[Code]....

I then want to check all the returns values in locs for a specific value. I know I could build a foreach loop that would walk through every return data value in locs to see if it matched, but I was hoping to use something simpler.

[Code]....

I tried to search for this already as I am sure it has been asked before, but I apparently lack the proper search keywords.

View 2 Replies

Web Forms :: Dropdown Of Office Communicator Presence Indicator Is Not Displayed?

Jun 29, 2010

The onclick event of the image (that shoud show the OC dropdown) is not working in this scenario: The page has OC precense indicator then a modal window that has OC precence indicator is launched. When the modal window is closed and there is no postback on the parent page, the OC dropdown of the parent page does not show when the image is clicked. The onclick event is working well if the parent page had a full postback after closing the modal window. How will I fix the onclick event issue if there is no poastback?

View 1 Replies

Preventing Reply Attacks In C#.net?

Mar 25, 2011

I am using c#.net web application.I will not allow reply attacks in my application.How do i prevent from the same.

View 3 Replies

Preventing Cookie Replay Attacks In MVC

Jan 22, 2010

This involves using the Membership provider to add a comment to users server side records when they log in and out, and then confirming that when a cookie is used to authenticate, that the user hasn't logged out. This makes perfect sense to me. Where this starts to fall apart is that we do not currently use a membership provider, and so it seems like I face reimplementing all our authentication code to use a membership provider. We currently check authentication in a controller, and make a call to FormsAuthentication.SetAuthCookie() once we know the user exists. It would be a lot of work to force a membership provider in.

Is all this work really neccesary. Can I roll my own key value store of cookie values to logged in users and just make sure I clear this when a user hits the logout button. If this seems unsafe is there a way of implementing a minimal Membership provider in order to make these checks without handing off all authentication code to it?

I guess my main problem here is that we decided a long time ago that the membership provider model doesnt fit with the model we use for locking and unlocking accounts, and chose not to use it. Now we find that the MS recommendations specifically mention a membership provider, and as this is security I need to be sure that not using it as they recommend isn't going to cause troubles.

View 2 Replies

Replay Attacks For HTTPS Requests?

May 5, 2010

Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability.

What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien technology? Is it really so easy to record the SSL sessions of users and replay them before the tickets expire?

No code in the application currently does anything interesting on HTTP GET, so AFAIK, tricking the admin into clicking a link or loading a image with a malicious URL isn't an issue.

View 6 Replies

SQL Queries Open To Injection Attacks?

Jan 29, 2010

I would now like to check if my code is still open to SQL Injections after this work. I believe the code is now working as it should, but any blinding errors that you see i'd love to hear about too. My code is now looking like:

-code removed-

View 5 Replies

Request Validation - Preventing Script Attacks?

Jan 21, 2010

When a user presses Button1 on the Webpage, I would like to copy slightly modified string from txt1 (Text) into txt2 (Text).
The problem is sometimes I get an error "a potentially dangerous request.form value was detected from the client validaterequest". I get this error when special symbols llike "<" or ">" are in txt1.Text.I've read about that problem. That error is to prevent from hackers who can input scripts into the txt1.All I did is:

1) Put validateRequest="false" into <%@ Page Language="VB" validateRequest="false" at Default.aspx.

2) Default.aspx.vb contains now:

sHTMLEncodedString = Server.HtmlEncode(txt1.Text))
[code]....

Now it works and allows to take any data from txt1, slightly modify it and put into txt2.So, my question is: Did a level of security was reduced after I wrote validateRequest="false" ? Any code should be added to keep the good level of security? Or, I'd better use another way to copy txt1 to txt2?

View 7 Replies

DataSource Controls :: Vulnerable To Sql Injection Attacks?

Jan 23, 2011

using a linqDataSource control... in the selecting event I have code like the following for a simple search feature:

[Code]....

In general, would dynamically building the 'Where' property of a linqDataSource be vulnerable to sql injection? Or does the control protect against this internally?

View 6 Replies

Security :: How To Prevent ASMX (web Service) Replay Attacks

Jan 20, 2011

I have a ASP.NET XML web service (asmx) running on .NET 3.5. I am trying to figure out how best to prevent replay attacks. Is there any inherent security by .NET 3.5 that should mitigate this issue, or do I need some kind of SOAP header token value?

View 1 Replies

How To Count Of Characters Entered In Multiline Textbox Till 140 Characters

Dec 13, 2010

How to count no. of characters entered in multiline textbox, i wanna enter maximum 140 characters in my multiline textbox using vb.net ...

In short i want textbox to enter limit is only 140 characters ....

i have te following code to do that .... but i wanna implement 140 characters limit in multiline textbox :

<script type="text/javascript">
function Count(x) {
document.getElementById("Label1").innerHTML = document.getElementById("TextBox2").value.length;
}
</script>
<asp:TextBox ID="TextBox2" runat="server" Height="78px"
TextMode="MultiLine" Width="224px" onkeyup="Count(this.id)"
MaxLength="140"></asp:TextBox>

View 3 Replies

AJAX :: MaskedEditExtender's - Mask Characters Don't Hide Under Typing Characters

Feb 1, 2010

I have a problem with MaskedEdit's mask for the code shown below:

[Code]....

When I'm starting to print date in the TextBox, mask moves with characters. Mask characters don't hide under typing characters.

View 7 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved