tags:

views:

104

answers:

2
Q: 

What does a dangerous query string look like?

Hi

I want to see if my encoding is working however the example I made just reverts back to non encoded after it goes back to the page.

<a href="http://search.msn.com/results.aspx%3fq%3dIamBad"&gt;Click Here!</a>

Turns back into

<a href="http://search.msn.com/results.aspx?q=IamBad"&gt;Click Here!</a>

Edit

UrlEncode Untrusted input is used in a URL (such as a value in a querystring) Click Here!

http://msdn.microsoft.com/en-us/library/aa973813.aspx

So my question is I am trying to see if something is not working right(ie why does it make the query string part look normal again).

Is it because the query string contains nothing really out of the ordinary. Or is something re encoding it back to its original form?

A: 

An example of a dangerous query string is below.

<a href="results.aspx?q=<script>alert('Attack')</script>">Click Here!</a>

What you really should be testing for isn't simply if the URL is encoded - but what happens when that attack is performed on your page.

Damien Dennehy  2010-06-19 21:43:03
Hi. I am not testing if the url is encoded. I am trying to encode the url myself on the server side through the MS XSS library. I am trying to verify if it actually did the encoding
chobo2  2010-06-19 22:16:15
The Anti-XSS library? Are you trying to use the httpmodule then to automatically encode your code? It only works on server controls.
Damien Dennehy  2010-06-19 23:17:34
A: 

You simply do not redisplay inputs from a user that come in via a form submission or through the query string, either redisplaying it to that user directly or storing it in a database that would then display it to other users of the site.

Say you have a hyperlink like this 

/default.aspx?message=%3cscript%3ealert('Hello+world')%3b%3c%2fscript%3e

What you do not want to do is this 

string message = Request.QueryString["message"];
if (!string.IsNullOrEmpty(message))
    directlyDisplayedLiteral.Text = message;

Because what would happen is that when that when the page loads, the user is going to see a message box pop up on screen. All this script produces is a stupid little message box, but it could be doing other malicious things to your users.

Instead, you want to encode the input before displaying it, so it becomes something harmless. 

string message = Request.QueryString["message"];
if (!string.IsNullOrEmpty(message))
    directlyDisplayedLiteral.Text = Server.HtmlEncode(message);

So all that happens is that <script>alert('Hello world');</script> is written to the screen, which is actually &lt;script&gt;alert('Hello world');&lt;/script&gt; in HTML. There's no message box, no script actually executing, it's just benign text on a screen.

Anthony Pegram  2010-06-19 21:48:46

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?