locked
How to fix Cross-Site Scripting: Persistent issues RRS feed

  • Question

  • User899592849 posted

    Hello,

    There is a software called Fortify that scans my web code pages and that the code below vulnerable for Cross-Site Scripting: Persistent.  I am not sure how to go about fixing it. Any ideas? Thanks.

     public void GetStates()
        {
            DataSet DS = new DataSet();
            string strQuery = "Select * from tbl_State where StateName <> '' order by StateName";
            SqlConnection oConn = new SqlConnection(ConnStr);
            SqlDataAdapter DA = new SqlDataAdapter(strQuery, oConn);
            DA.Fill(DS);  //Line 85 - Cross-Site Scripting: Persistent
            State.Items.Clear();
            State.Items.Add(new ListItem("Select a State", ""));
            foreach (DataRow DR in DS.Tables[0].Rows)
            {
                State.Items.Add(new ListItem(DR["State"].ToString(), DR["StateID"].ToString()));  //Line 90 - Cross-Site Scripting: Persistent 
            }
    
        }

    Thursday, October 18, 2018 4:07 PM

All replies

  • User475983607 posted

    The vulnerability alert has to do with potential JavaScript in existing in tbl_state.  

    Try reading the Fortify support documentation as the app might not like the "SELECT *".   Usually the error messages come with examples of how to fix vulnerability issues. 

    Anyway, I recommend that you post this question on Fortify's support forum as this is not an ASP.NET question.

    Thursday, October 18, 2018 5:50 PM
  • User-1038772411 posted
    Secure Usage
    HTML Encode Binding Shortcut
    <td><%#: Item.Address %></td>
     
    HTML Encode Render Shortcut
    <td><%: Item.Address %></td>

    The above code is not vulnerable to XSS because the dynamic Address property is being HTML encoded before being written to a HTML context. In ASP .NET 4.5, the HTML encode binding shortcut (<%#:) was introduced to allow developers to HTML encode dynamic values being bound in the HTML markup. Additionally, in ASP .NET 4.0 the HTML encode render shortcut (<%:) also added to allow developers to automatically HTML encoded content being rendered directly to the page.

    Vulnerable Usage
    HTML Binding
    <td><%# Item.Address %></td>
     
    HTML Render
    <td><%= Item.Address %></td>

    The above code is vulnerable because the dynamic Address property is written to the browser without HTML encoding. If an attacker had the ability to edit the address field, then a malicious value, such as alert(document.cookie);, could be entered to inject content into the page.

    Please Refer this link for deep understanding

    Thanks.

    Wednesday, March 13, 2019 1:14 PM