tags:

views:

101

answers:

2
+1  Q: 

How can I prevent an XSS vulnerability when using Flex and ASP.NET to save a file?

I've implemented a PDF generation function in my flex app using alivePDF, and I'm wondering if the process I've used to get the file to the user creates an XSS vulnerability.

This is the process I'm currently using:

  1. Create the PDF in the flex application.
  2. Send the binary PDF file to the server using a POST, along with the filename to deliver it as.
  3. An ASP.NET script on the server checks the filename to make sure it's valid, and then sends it back to the user as an HTTP attachment.

Given that, what steps should I take to prevent XSS?

A: 

Are there any other GET or POST parameters other than the filename?

In preventing XSS, there are three main strategies: validation, escaping, and filtering.

Validation: Upon detecting nvalid characters, reject the POST request (and issue an error to the user).

Escaping: Likely not applicable when saving the file, as your OS will have restrictions on valid file names.

Filtering: Automatically strip the POST filename parameter of any invalid characters. This is what I'd recommend for your situation.

Within the ASP.NET script, immediately grab the POST string and remove the following characters: < > & ' " ? % # ; +

Ben Walther  2009-11-09 22:10:07
This doesn't apply. Dan isn't sending any output directly to the client; just via the response stream.
Jan Jongboom  2009-11-09 22:19:35
In the "Content-Disposition" header, you'll want to avoid any HTML special characters in order to prevent the user from breaking out of the header and into the raw message body.You are correct that this is not an XSS attack, but rather HTTP response splitting.http://en.wikipedia.org/wiki/HTTP_response_splitting
Ben Walther  2009-11-09 22:30:49
A: 

How is this going to be XSS exploitable? You aren't outputting something directly to the user. The filesystem will just reject strange characters, and when putting the file on the output stream, the name nor the content does matter.

Jan Jongboom  2009-11-09 22:18:45

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.