We've got an interstitial page that warns people when they're leaving our site. The trouble is it takes querystring parameters and blindly generates a page, thus it's vulnerable to XSS attacks. I've been tasked with fixing it and I want to do it right.
views:
76answers:
5
+2
A:
Yes, try this:
if(Uri.IsWellFormedUriString(url, UriKind.Absolute) && url.StartsWith("http"))
Response.Write(string.Format("<a href=\"{0}\">{0}</a>",
HttpUtility.HtmlEncode(url)));
Nathan Ridley
2010-10-15 21:20:19
Unfortunately "javascript:alert('hi')" returns true.
CptSkippy
2010-10-15 21:25:21
Nothing a simple scheme check won't eliminate. I've edited my answer.
Nathan Ridley
2010-10-15 22:20:21
+2
A:
You should call Server.HtmlEncode to properly escape your generated HTML.
SLaks
2010-10-15 21:23:19
A:
One solution is to store the destination urls in a database or other data store that cannot be accessed from the internet. Then you could pass a key value to the interstitial warning page in the query string and have the page read the url from your database on the server side.
yorkrj
2010-10-15 22:26:32
+1
A:
So things not to do;
- Use regex
- Use HtmlEncode without thought.
Things to do;
- Treat all input as untrusted.
- Encode input before it is output. However make sure you're using the right type of encoding. If you put user input in an attribute then you use HtmlAttributeEncode, if it's just HTML then you use HtmlEncode, if you put it into JavaScript then it's JavaScriptEncode. If your javascript puts it into a div then it's HtmlEncode, followed by JavaScriptEncode.
- Consider using AntiXSS which provides more encoding mechanisms and uses a safe list approach which is inherently safer.
- Whitelist the exit URLs so people cannot use this page as an open referrer. Do not have a parameter which has the URL, rather have a GUID which looks up the URL from a database, session table or whatever.
(Disclosure : I own AntiXSS)
blowdart
2010-10-15 22:29:25
+1
A:
The best way is to get rid of the page entirely and just accept that its a website and make it act like a website. Websites link to other resources, it's why the web has over 200million sites instead of about a dozen.
Failing that, your best bet is to start with HtmlEncoding as a quick fix, and then replacing it with a lookup of ids to bring one to different sites.
But really, those "ZOMG you are leaving!" pages are horrible. They're even worse than the sites that open new tabs for every so-called "external" link.
Jon Hanna
2010-10-15 23:37:06
The purpose of the page is not to keep people on the site but rather a general disclaimer that the site is provided as an information resource and not necessarily one we support, endorse or are affiliated with. The business just wants to protect it's image and reputation because a lot of it's constituents aren't that bright. Unfortunately the page was implemented and deployed by content managers without our knowledge and only picked up later by a PCI audit. So now we're got thousands of resources using it and I've been tasked with fixing the XSS vulnerability.
CptSkippy
2010-10-18 16:09:42
I don't know of any country where that sort of disclaimer is necessary, but I'm not a lawyer and even if I was, I wouldn't know the law of every single country. Whereever you are, I'll stay by what I said as the answer to your question, since most people here are from America, followed by other English speaking countries, followed by others, so it'll apply to most people that might find this. Onto yourself, you can still go with the quick-fix followed by the id-based lookup I suggested.
Jon Hanna
2010-10-18 18:03:48