locked
How can I block cross-site scripting (XSS) through interceptor in proxy tool in ASP.NET using C# RRS feed

  • Question

  • User-32452126 posted

    Hi Team,


    working on to fix the issue of Cross Side Scripting in asp.net with c# application and team is trying to inject the CSS as %uff1cscript%uff1ealert%uff08123456%uff09%uff1c/script%uff1e. but I am facing issue to encode the text to html format but its not updating.

    please help me how to encode the above input to html and fix the issue

    Thursday, November 7, 2019 11:46 AM

All replies

  • User-719153870 posted

    Hi srinivas_1969,

    team is trying to inject the CSS as %uff1cscript%uff1ealert%uff08123456%uff09%uff1c/script%uff1e.

    XSS is supposed to protect your website, thus the js written will be encoded to above format.

    Can you explain in which scenario you want to inject a js function as above which will make your website very insecure?

    And why not use the ScriptManager.RegisterStartupScript Method like below?

    ScriptManager.RegisterStartupScript(this,this.GetType(), "aa", "<script>alert(123456)</script>", false);

    Best Regard,

    Yang Shen

    Friday, November 8, 2019 2:39 AM
  • User-32452126 posted

    Hi Yang,

    Thanks for your response, but the pen test team would like to inject the script using burp interceptor and the script is inserting at text box control and description boxes.

    and I am trying to handle this from the C# server side, but not able to convert the above Unicode entities to html text.

    let us know how to resolve this.

    thanks in advance

    Friday, November 8, 2019 6:48 AM
  • User-719153870 posted

    Hi srinivas_1969,

    inject the script using burp interceptor and the script is inserting at text box control and description boxes.

    According to your description, you will input <script>alert(123456)</script> into this textbox and the burp interceptor will encode this to %uff1cscript%uff1ealert%uff08123456%uff09%uff1c/script%uff1e?

    I built this demo here with c# and HttpUtility.UrlDecode( since we don't know how you encode the script) to decode it.

    And this string can be decoded but not int the right way, you can refer to below demo:

    protected void btn2_Click(object sender, EventArgs e)
            {
                string a = "%uff1cscript%uff1ealert%uff08123456%uff09%uff1c/script%uff1e";
                a = HttpUtility.UrlDecode(a);
                txt1.Value = a;
                string b = "<script>alert(123456)</script>";
                b = HttpUtility.UrlEncode(b);
                txt2.Value = b;
            }

    Below is the result:

    As you can see from above img, the %uff1c will be encoded to  which can't be recongnized as html code(<) and < will be encoded to%3c.

    I think HttpUtility.UrlDecode is not what you want but meybe you can try use HttpUtility.UrlEncode to encode your script which will make it easier to decode.

    Best Regard,

    Yang Shen

    Friday, November 8, 2019 8:11 AM
  • User-32452126 posted

    Hi Yang Shen,

    Thank you again, and I would like to explain actually what we doing

    there is a one control on the aspx form which will be used collect some data and the end user will enter the normal text only in one text box . e.g., test by Srinivas

    but to validate the application security we using the burp interceptor and once the above text entered in text box and saved then the data will come in burp interceptor

    there we will replace the text "test by Srinivas" with the %uff1cscript%uff1ealert%uff08123456%uff09%uff1c/script%uff1e  then its saving in the DB

    when we open the same data for the view then the script is executing showing alert. but when we doing validation the how to encode the "%uff1cscript%uff1ealert%uff08123456%

    uff09%uff1c/script%uff1e" to html I am not finding any methods in C# to encode because its Unicode.  

    Thanks in advance

    Friday, November 8, 2019 11:18 AM
  • User475983607 posted

    What is you question? 

    How to unescape Unicode characters in C#? JavaScript?

    https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.unescape?view=netframework-4.8

    https://stackoverflow.com/questions/7885096/how-do-i-decode-a-string-with-escaped-unicode

    I'm guessing that you are serializing a string on the server which is causing the escaped characters.  Is there any way you can share code that reproduces this issue? 

    Friday, November 8, 2019 12:07 PM
  • User-32452126 posted

    Hi Mgebhard,

    Thank you for your reply, I am encoding the text box value once the buttonsave_click  and once the process is started the data is coming in burp suite tool and at the backend they modifying the text and replacing with the script and would like to handle that in the back end in server side pleae let me know how to encode handle it

    Friday, November 8, 2019 5:47 PM
  • User475983607 posted

    I am encoding the text box value once the buttonsave_click

    Yang Shan provided a clear example of HTML encoding and decoding. If HTML encode and decode is not what you are looking for then share code that reproduces this issue rather than making the community guess what problem you are trying to solve.  Are you receiving an error in the burp tool that recommends encoding text input?  Have you tried burp support?

    Friday, November 8, 2019 6:01 PM