Comments on: 5 signs your ASP.NET application may be vulnerable to HTML injection

By: Daily Links for Friday, June 19th, 2009

Daily Links for Friday, June 19th, 2009 — Fri, 19 Jun 2009 11:47:36 +0000

[...] 5 signs your ASP.NET application may be vulnerable to HTML injection » DamienG [...]

By: Podcast #58 - Blog - Stack Overflow

Podcast #58 - Blog - Stack Overflow — Thu, 18 Jun 2009 02:20:31 +0000

[...] right about something. Don’t HTML encode data that’s stored in your database! Take the good advice of Damien Guard and Joel Spolsky! You can choose to store both representations, but don’t store just the [...]

By: Amit

Amit — Thu, 12 Feb 2009 03:01:34 +0000

Damien,
When you say “You would imagine the high-level WebForms controls would take care of encoding and you’d be wrong.”. Is there a list of controls that are vulnerable and a list of controls that are not?

By: Fady Anwar

Fady Anwar — Wed, 19 Dec 2007 12:57:42 +0000

great article, i like the ideas in it
a kick from me ;)

By: How dangerous is HTML injection? » DamienG

How dangerous is HTML injection? » DamienG — Wed, 19 Dec 2007 07:46:15 +0000

[...] For more ASP.NET examples check out 5 signs your ASP.NET application may be vulnerable to HTML injection. [...]

By: Damien Guard

Damien Guard — Wed, 19 Dec 2007 07:41:18 +0000

It should be encoded regardless of where it came from or whether it is believed to be safe. The only exception is data you expect to contain HTML and are going to sanitize to ensure only has the HTML you like.

One example I’ve seen is blogging software that fails to encode blog post titles because they are ’safe’ in that they are only entered by the blogging author.

You create a blog post called “Using List for collections” and it shows up with “Using List for collections”, causes the page to fail validation and breaks the RSS feed.

[)amien

By: James Curran

James Curran — Wed, 19 Dec 2007 02:29:57 +0000

But that’s not really 5 signs — It’s really just one sign — because , Response.Write, HtmlAnchor et al aren’t the problem. The problem is post.Author. If it comes from a trusted source (i.e., you typed it in yourself), it’s save to output directly. If it comes from anywhere else (notably user input), then it must be encoded.

By: Our daily link (2007-12-18) - Trumpi's blog

Our daily link (2007-12-18) - Trumpi's blog — Tue, 18 Dec 2007 21:24:18 +0000

[...] 5 signs your ASP.NET application may be vulnerable to HTML injection – which means that you may be vulnerable to XSS attacks too. [...]

By: Damien Guard

Damien Guard — Tue, 18 Dec 2007 18:51:55 +0000

Lol, I think that WordPress is determining that might be dangerous. Dave was, I think, mentioning the option in web.config that tries to prevent your application accepting script from the user.

This is all well and good but if there are other ways to get data into your database (links with other company systems, web services, message pumps or even internal WinForms apps) then those too can be avenues for attack.

Many attacks happen from the inside and anyone with access to the SQL box or a WinForms app could be the one putting the payload there ready for your application to deliver up to unsuspecting users.

[)amien

By: Dave

Dave — Tue, 18 Dec 2007 16:51:41 +0000

So…

By saying ASP.NET does nothing for you, are you implying that putting a “” section into your web.config isn’t working anymore for some reason?
It certainly isn’t fool-proof, but it gives a huge head-start getting around the issues you are describing.

By: ScottB

ScottB — Tue, 18 Dec 2007 15:59:06 +0000

Great article, I have always encoded entries into the db but never encoded the output from the DB. After reading this I was like “duh!! why didn’t I think if that”. I wonder if someone could make an Ajax extender for a textbox that automatically encodes the output. Thanks again, Scott

By: Damien Guard

Damien Guard — Tue, 18 Dec 2007 13:43:16 +0000

Yeah I agree with you here and have to conceed that JSF/JSP did the right thing.

Microsoft almost got it right with the HtmlControls but for that bug I found.

[)amien

By: steve

steve — Tue, 18 Dec 2007 12:29:50 +0000

And interestingly, I think shortcuts like {! have a downside. Sure it’s quicker to type, but it does nothing to remind you that you should be using it. And, it’s arguably harder to spot a missing ! when you’re reviewing code than it is to miss a missing explicit encoding/escaping method call. I don’t think shortcuts are the answer at all, making safety the default is much more robust.

By: steve

steve — Tue, 18 Dec 2007 12:25:30 +0000

I wonder why escaping (or encoding if you prefer) the HTML isn’t the default on the higher-level constructs. I can understand why the low-level ASP output methods don’t do it, but IMO higher level frameworks should always default to safe behaviour. Having to remember to explicitly escape is a huge pain the ass.

I know everyone except me reading your blog hates Java, but again JSF demonstrates good practice here, by defaulting to escaping HTML. Since JSF is a common building block for most serious Java web software, the result is that most people building using it will have at least that minimum requirement covered without having to keep reminding themselves. I think the MVC framework, or some intermediate view component for ASP (as JSF is to JSP) should do the same.

By: Damien Guard

Damien Guard — Tue, 18 Dec 2007 07:37:34 +0000

{! } is good in MonoRail, I think Ayende added it in response to my ticket on encoding being off by default and causing a problem through to components such as the SmartGrid.

Having something similar in MVC would be great although personally I’d love it to be mapped to a method on a new HtmlViewPage class which inherits from ViewPage so that you can switch out the encoding method for different output types.

There is some discussion about the whole issue so we’ll see what happens.

[)amien