Question
I have been told to find a fix to Cross Site Scripting (XSS) in some of my bank old .asp pages.
I did some research on the subject, but I didn't find an answer to my problem. It's the first time I heard about XSS and the first time I am looking at ASP (although the page has nothing but HTML) and I haven't been into web design for about 2 years now, so I am very very rusty.
So for example, I have this form
https://stackoverflow.com/questions/13750489
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<form method="POST" id="CH" name="CH" action="http://some_url/some.asp">
<input type="hidden" name="srv" value="1" ID="srv"/>
<TABLE border="0" cellpadding="0" cellspacing="0" width="100%" align="center">
<TR valign="top">
<TR>
<TD align="center">Input something here
<input name="input_something" type="text" class="field-no-fit" maxlength="12" value="">
</TD>
</TR>
</TR>
</TABLE>
</form>
If I manually input the URL (which contains this form) as
http://this_url/this.asp?1=%22%3E%3Cscript%3Ealert%28HelloWorld%29%3C/script%3E%3Cimg%20alt=%22%22%20src=%22
the page will load and then it will throw a javascript alert and display an error image.
My goal is to stop scripts from running when opening the page. I read about Server.HTMLEncode but can't find a way to use it to stop the script from running at page load.
Thanks in advance!
EDIT: Will I be able, at least partially, to work around it if I replace the input's value with: "<%= Server.HTMLEncode(Request("input_something"))%>"
I cannot test it, since, currently, I have no access to IE6, and all the other browsers (including IE>6 versions) avoid the error (already disabled XSS Filter in the Security tab, but it does not work)
Solution
i do not think that has anything to do with the browser?
you obviously write the content of a querystring parameter directly on your page like so:
<%=Request.QueryString("1")%>
that is bad.
as you already have found out you should use
server.htmlencode( Request.QueryString("1") )
everywhere on your pages where you write user input directly on the page.
that should do the trick
OTHER TIPS
(I do not know much about ASP) You may be able get an easy fix by enabling ASP request validation. As with any behaviour changes, a number of things can break on other pages (although this would be surprising), so test the the change first. See Step 1 in http://msdn.microsoft.com/en-us/library/bb355989.aspx
Your server is filling in all tags on the page, including the hidden "srv" input, from URL parameters, with no filtering for HTML tags, which then get pasted into the page. You can limit this form to respond to POST only, not GET method, then your example attack will not work. This is probably the easiest and most harmless fix.
Finally, look if you can set cookie attribute for whatever cookie is used to track sessions to HTTPOnly.
A very long read on all possible measures you can use is at http://msdn.microsoft.com/en-us/library/ms998274.aspx
