Using A Web Service For Cross Site Scripting?
Feb 20, 2010
I want to pull down a feed (like twitter) and place in on a page using javascript (jquery). Ultimately, the "service" just needs to hand off JSON. I created a web service that allows me to do that, sort of. I don't know if using a stream reader is all that efficient and I was a little bothered by having to use what amounts to 2 evals on the clientside.
My question is twofold: is there a better method than using a web service and two, is there a problem with my implementation?
asmx:
[WebMethod]
public string World()
{
WebRequest request = WebRequest.Create("http://twitter.com/statuses/user_timeline/username.json?count=1");
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
StreamReader reader = new StreamReader(response.GetResponseStream());
string tmp = reader.ReadToEnd();
response.Close();
reader.Close();
return tmp;
}
aspx
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js" type="text/javascript"></script>
<script>
$(document).ready(function() {
$.ajax({
url: "WebService1.asmx/twitter",
type: "POST",
data: "{}",
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function(obj) {
var t = eval(obj.d)[0].text;
$('div').html(t);
}
})
});
</script>
View 2 Replies
Similar Messages:
Mar 25, 2010
We recently discovered that our web app was vulnerable to cross site scripting (XSS) attacks. We managed to manipulate our inputs to produce the following HTML:
[Code]....
Which executes an alert window when clicked.
After HTMLEncoding using the AntiXSS the web app successfully encodes the output to look like this:
<a href="javascript:__doPostBack('ctl00$ContentPlaceHolder1$CtlSearchList1$CtlListView1$DataGrid1$ctl03$ctl00','')">'); onclick=alert('This
is an XSS vulernability. An attacker could do anything here (redirect to another website, virus etc)');('.txt</a>
but the alert window still fires! What am I doing wrong?
View 3 Replies
Mar 9, 2011
where does following HTTP error message come from:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
We're using dynamically generated URLs and in this specific case the URL contains the characters '<' or '>'. We do URL encode the generated URL (so '%3C' appeary instead of '<') but it doesn't Our setup is ASP.NET MVC / IIS 7.5 / IE8. It's strange but it looks like the error appears only on some machines. So it could be that the IE internet zone settings are playing a role.
View 1 Replies
Oct 25, 2010
this exception is caused by entering scripts or disallowed text as "<script>", "<h1>" by the user. This exception will be thrown while processing the request.
After searching and trying, most of the solutions were to:
1- disable request validation in the page header (validateRequest="false") or in the pages section in web.config.
I dont see this is a solution, the XSS problem is still there, it just does not throw the exception.
2- To encode the text and decode it using Server.HtmlEncode and Server.HtmlDecode.
This is a good one, but have to go every single textbox and call this method (Server.Encode(txtAddress.Text)), but this require alot of effort to change the whole site, and some of them may be forgotten.
I was thinking of creating a new TextBox control (MyTextBox) to inherit from System.Web.UI.WebControls.TextBox and override the Text property, then Encode base.Text in the get accessor, and Decode base.Text in the set accessor.
This will also require to change the whole site, to use MyTextBox instead of TextBox.
View 3 Replies
Oct 15, 2010
a major problem from Cross-Site ScriptingAttack, Below is sample script which automatically gets inserted into my HTML and ASPX Pages.
"<script src=http://avidmarketing.ie/images/rc3/companybuttonwhite.php ></script>"
View 5 Replies
Jan 21, 2010
To have a better secure application, we have to prevent cross site scripting.
I have application that use a bll.
All inputs have to pass bll before they were pass to database.
To prevent cross site scripting, is bll the correct place to validate the input?
To be exact, are all the properties of object should be validated?
View 9 Replies
May 14, 2010
I am aware of a tool which MS has provided which tells you about coss site scripting attack etc.
The tool is [
But are there tools which you have used for ASP .NET applications which do similar to this and which one is widely used in ASP .Net applications ?
View 2 Replies
Jul 7, 2010
I am building a website, within a large intranet, that wraps and adds functionality to another site within the same intranet. I do not have access to the other site's source and they do not provide any api's for the functionality they provide. I need to, somehow, have my server-side code go to that site, fill in some forms, then press a submit button. Is this possible? If so, how can I accomplish this?
Note: I am working in asp.NET if that matters at all.
View 4 Replies
Feb 3, 2011
we host catalog data and UI for our clients. we do not build entire web site for them. so for the time being client puts an iframe and points URL to our hosting site. it was working fine but now just because of iframe they are lossing SEO.so my question is how to achieve my goal without iframe.
1) how can i embed/inject/merge UI hosted by US to our client web site.
2) Get SEO benefits
View 1 Replies
Jan 16, 2010
I need to make my site work well on a blackberry, i haven't put too much effort into getting this working yet, but i have a few questions which google is struggling with.I've read about detecting brower type and modifying the default behaviour of asp.net controls hereHow would I go about supplying a differant stylesheet to a specific browser, should i just do this?
if (Request.Browser.Browser.ToString() == "blackberry") //pseudocode
{
Response.Write("bb.css");
}
else
{
Response.Write("bb.css");
}
This will work fine, but i feel like there is a better method, i'm sure i've read about something in the past but i can't seem to recall.I'm also considering a response.redirect to a differant page for a blackberry, which at the moment i would implemenet in a similar way.
View 5 Replies
Nov 16, 2010
We have a lot of domains running on one IIS WebSite/AppPool.
Right now we are in the process of implementing SSO with Windows Identity Foundation.
in web.config the realm has to be set with
<wsFederation passiveRedirectEnabled="true" issuer="http://issuer.com" realm="http://realm.com" requireHttps="false" />
My problem is that the realm is dependent on which domain the user accessed the website on so what I did is that I set it in an global action filter like this
var module = context.HttpContext.ApplicationInstance.Modules["WSFederationAuthenticationModule"] as WSFederationAuthenticationModule;
module.Realm = "http://" + siteInfo.DomainName;
My question is. When I set the realm like this, is it set per user instance or application instance.
Scenario.
User A loads the page and the realm get set to domain.a.com.
User B is already logged in on domain.b.com and presses login.
Since user A loaded the page before User B pressed login, user A will hit the STS with the wrong realm set.
What will happen here?
If this is not the way to set the realm per user instance, is there another way to do it?
View 1 Replies
Jul 30, 2010
I have an interesting issue I have racked my brain trying to find a solution to.
I have a site with a single master page. Part of that master page is a text field and button. They are not part of a content placeholder, they are simply part of the master page, itself, and are intended to allow people to search the site from any page on the site.
So, all search requests are routed to a search.aspx page, regardless. I am doing this by setting the PostBackUrl attribute of the button control to "search.aspx".
This all works great, except when I try to use this search capability from the search.aspx page, itself. I figure this is because I am using the Page.PreviousPage object and since a postback from the search.aspx page, itself will result in the Page.PreviousPage being Nothing, it is not performing the proper action.
View 1 Replies
Mar 16, 2010
We have a GUI which runs on ASP.NET 2.0 framework (Client-Server model). From the support perspective how can one find whether the pages which are opening on GUI at any point of time is a server side scripting or Client side scripting.
The reason why I ask this is because I understand that some of the codes are executed by the browser such as Javascript. So, if there are such scripts which are handled by the client browser, how can one find out that it is the Client side scripting which is running at that moment.
View 1 Replies
Jun 15, 2010
I am using asp.net 3.5 and have validateRequest="true" in the machine.config.
Do I need to do something special to stop CSRF and Cross Site scripting or asp.net will handle all these?
View 1 Replies
Feb 22, 2011
I wont to restrict my web service only for few domains.
I wont to have access to web service from using ajax and my page, and I don't want that anybody can create client to my WebService and view my web service methods.
View 4 Replies
Jan 5, 2011
I have asp.net 2.0 site which is calling web services hosted on another server. When i have an xml file from where web service ip for eg. www.mysite/webservice1/myservice.asmx is given. When i call the same server from developer machine using local networkit works fine.But the same is when hosted remotely and from client end when services is called reading xml fiile from client machine it given a message 'remote server not connecting'.
View 1 Replies
Aug 31, 2010
Is it possible to have a web Service and Website in the same application. The web service would be [URL] and website [URL] Both would share the same code for logic and data access
View 8 Replies
Jan 25, 2011
I'm trying to consume a WSE enabled Web Service from an ASP.NET Web Site.I've installed WSE 3.0, used the config tool to add WSE info to my web.config and then done an Add Web Reference.I believe that the problem may be that this is a Web SITE, not a Web APPLICATION. As such, the proxy class is generated at runtime, perhaps not adding the WSE magic.I can access the proxy class from metadata, and it's of typeSystem.Web.Services.Protocols.SoapHttpClientProtocol, which as far as I can tell doesn't have any WSE functionality.I realize that this is all old technology, but I don't get to decide what the servers run :(
View 1 Replies
Sep 27, 2010
I am building a web service which uses some of an existing web site's methods. However, some classes and methods cannot be used (for example Redirect - which obivously throws an exception when not invoked from a web site's context).
Now I came to a section in code where
HttpContext.Current.Application.Get(keyNames.EncodedKey) Is used. (Where keyNames is a struct, and EncodedKey is a string.)but HttpContext.Current is null..
What is a valid substitution for HttpContext.Current.Application.Get?
I should mention that I've only checked this from a unit test, not the web service itself and following Darin's answer I realize that is the problem, so the question now is- how to mock HttpContext.Current(using moq)?
View 1 Replies
Feb 18, 2010
I have a website that seems to be Ok in Mozilla but when I access some pages in IE (mostly the ones where it has to contact a web service) the page hangs. If I refresh and then click the same button again, it seems to work fine 90% of the time. As mentioned, the same features work flawlessly in Mozilla.I am not really sure where I need to go to start debugging this but does anyone have any ideas on a cause?The website is hosted on my machine which is running on localhost using IIS7 on Vista and the web service is hosted in the same place. (So all it should need to do is contact itself). Its is an ASP.NET website running framework 2.0 (something)
View 1 Replies
Sep 30, 2010
I am planning to build a news publication website that should be automatically scalable when traffic is increasing. I have good experience in developing web applications using ASP.NET and PHP. To move forward on selection of specific technology here are some questions for which I need some clarifications.
My primary intention is to reduce the hosting charges. If we choose LAMP this will cost lower than ASP.NET on Windows. As my intention is to host web application on cloud service, will this make any difference? Means, for dedicated servers we need to pay extra cost for Windows O/S if you compare it with Linux. If we go for cloud servers, will they charge anything for O/S for each instance or will they just charge on computation hours irrespective of Operating System?
Do we have complete control (like dedicated server) on cloud instance to install any other softwares?
Do we need to host web server and and database server on multiple instances when traffic is increasing or will a big size instance can handle huge traffic?
View 5 Replies
Aug 3, 2010
I'm trying to get a visualisation of the status of a service - By visulisation, I mean a telerik tool tip, or a label or something like that!
My site is going to be used in an intranet environment and i need on page load to find whether a specific service on a remote server is running. I have googled and found various little bits and pieces, but nothing seems to have worked for me so far!
View 5 Replies
Sep 9, 2010
I am trying to have a marker show whether or not a particular service within the services.msc is running on a remote server(s). I have a service called Yardi Services on a virtual server. I want to be able to show on a dashboard I am creating for work, whether this service in running or stopped. For some reason this service will randomly stop though I have a auto restart on error. I am assuming that I would need to create a web service or use WMI?
View 2 Replies
Apr 17, 2010
Yesterday I added a custom MembershipProvider to an ASP.NET web application, but when I deployed the application to its remote host server, it failed. I know I had the login info correct, and I also know that for nearly any exception in the login process, the Login control displays the standard error message, "Your login failed", so I assume something is wrong in the code/config.
What can I do to diagnose what is wrong on the server?
BTW: This weekend I only have FTP access to the server, so no event log, and CustomErrors is already set to Off.
THE END: I was an idiot, and using the wrong query window to check if the my login actually existed on the server.
View 1 Replies
Sep 3, 2010
I have multiple PDFs coming from a report generator and I want to merge them to a single document. The merging process must run in a web site or WCF web service environment (Framework 4.0, IIS 7.5). Is there a component, open source or commercial, to accomplish this?In my process I get the PDFs as streams. If I have the choice, I would prefer a merging method, working directly on these streams - without file representations.
View 2 Replies
