Cross Site Scripting Through URL

Bernardo picture Bernardo · Dec 6, 2012 · Viewed 9k times · Source

I have been told to find a fix to Cross Site Scripting (XSS) in some of my bank old .asp pages.

I did some research on the subject, but I didn't find an answer to my problem. It's the first time I heard about XSS and the first time I am looking at ASP (although the page has nothing but HTML) and I haven't been into web design for about 2 years now, so I am very very rusty.

So for example, I have this form

<form method="POST" id="CH" name="CH" action="http://some_url/some.asp">
<input type="hidden" name="srv" value="1" ID="srv"/>
<TABLE border="0" cellpadding="0" cellspacing="0" width="100%" align="center">
    <TR valign="top">
            <TR>
                <TD align="center">Input something here
                <input name="input_something" type="text" class="field-no-fit" maxlength="12" value="">
                </TD>
            </TR>
    </TR>
</TABLE>
</form>

If I manually input the URL (which contains this form) as

http://this_url/this.asp?1=%22%3E%3Cscript%3Ealert%28HelloWorld%29%3C/script%3E%3Cimg%20alt=%22%22%20src=%22

the page will load and then it will throw a javascript alert and display an error image.

My goal is to stop scripts from running when opening the page. I read about Server.HTMLEncode but can't find a way to use it to stop the script from running at page load.

Thanks in advance!

EDIT: Will I be able, at least partially, to work around it if I replace the input's value with: "<%= Server.HTMLEncode(Request("input_something"))%>"

I cannot test it, since, currently, I have no access to IE6, and all the other browsers (including IE>6 versions) avoid the error (already disabled XSS Filter in the Security tab, but it does not work)

Answer

ulluoink picture ulluoink · Dec 12, 2012

i do not think that has anything to do with the browser?

you obviously write the content of a querystring parameter directly on your page like so:

<%=Request.QueryString("1")%>

that is bad.

as you already have found out you should use

server.htmlencode( Request.QueryString("1") )

everywhere on your pages where you write user input directly on the page.

that should do the trick

also have a look here