Comments on: 5 signs your ASP.NET application may be vulnerable to HTML injection

By: Daily Links for Friday, June 19th, 2009

Daily Links for Friday, June 19th, 2009 — Fri, 19 Jun 2009 11:47:36 +0000

[...] 5 signs your ASP.NET application may be vulnerable to HTML injection » DamienG [...]

By: Podcast #58 - Blog - Stack Overflow

Podcast #58 - Blog - Stack Overflow — Thu, 18 Jun 2009 02:20:31 +0000

[...] right about something. Don’t HTML encode data that’s stored in your database! Take the good advice of Damien Guard and Joel Spolsky! You can choose to store both representations, but don’t store just the [...]

By: Amit

Amit — Thu, 12 Feb 2009 03:01:34 +0000

Damien,
When you say “You would imagine the high-level WebForms controls would take care of encoding and you’d be wrong.”. Is there a list of controls that are vulnerable and a list of controls that are not?

By: Fady Anwar

Fady Anwar — Wed, 19 Dec 2007 12:57:42 +0000

great article, i like the ideas in it
a kick from me ;)

By: How dangerous is HTML injection? » DamienG

How dangerous is HTML injection? » DamienG — Wed, 19 Dec 2007 07:46:15 +0000

[...] For more ASP.NET examples check out 5 signs your ASP.NET application may be vulnerable to HTML injection. [...]

By: Damien Guard

Damien Guard — Wed, 19 Dec 2007 07:41:18 +0000

It should be encoded regardless of where it came from or whether it is believed to be safe. The only exception is data you expect to contain HTML and are going to sanitize to ensure only has the HTML you like.

One example I’ve seen is blogging software that fails to encode blog post titles because they are ‘safe’ in that they are only entered by the blogging author.

You create a blog post called “Using List for collections” and it shows up with “Using List for collections”, causes the page to fail validation and breaks the RSS feed.

[)amien

By: James Curran

James Curran — Wed, 19 Dec 2007 02:29:57 +0000

But that’s not really 5 signs — It’s really just one sign — because , Response.Write, HtmlAnchor et al aren’t the problem. The problem is post.Author. If it comes from a trusted source (i.e., you typed it in yourself), it’s save to output directly. If it comes from anywhere else (notably user input), then it must be encoded.

By: Our daily link (2007-12-18) - Trumpi's blog

Our daily link (2007-12-18) - Trumpi's blog — Tue, 18 Dec 2007 21:24:18 +0000

[...] 5 signs your ASP.NET application may be vulnerable to HTML injection – which means that you may be vulnerable to XSS attacks too. [...]

By: Damien Guard

Damien Guard — Tue, 18 Dec 2007 18:51:55 +0000

Lol, I think that WordPress is determining that might be dangerous. Dave was, I think, mentioning the option in web.config that tries to prevent your application accepting script from the user.

This is all well and good but if there are other ways to get data into your database (links with other company systems, web services, message pumps or even internal WinForms apps) then those too can be avenues for attack.

Many attacks happen from the inside and anyone with access to the SQL box or a WinForms app could be the one putting the payload there ready for your application to deliver up to unsuspecting users.

[)amien

By: Dave

Dave — Tue, 18 Dec 2007 16:51:41 +0000

So…

By saying ASP.NET does nothing for you, are you implying that putting a “” section into your web.config isn’t working anymore for some reason?
It certainly isn’t fool-proof, but it gives a huge head-start getting around the issues you are describing.