ResolveUrl XSS alternative
Question
After the research published showing that.aspx routes are vulnerable to reflected XSS , what is the recommended alternative to using Page.ResolveUrl or Control.ResolveUrl ? The linked article doesn't suggest any mitigations.
Summary of the linked research:
- For.aspx pages (not MVC) , even if you don't have cookieless sessions enabled, ASP.NET still parses those "special" URL formats such
http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx - it includes them in the page output whenever you use
ResolveUrl. - Thus it creates an attack vector where a call like
ResolveUrl( "~/Images/logo.png" )will inject content of the attacker's choice into your page output, eg
/(S("onerror="alert`1`"))/Images/logo.png`
I've posted one possible answer below but am looking for better ideas.
Note that ResolveClientUrl is not a direct replacement since it generates a relative Url, eg ../Images/logo.png unlike ResolveUrl which generates a root Url eg /myapp/Images/logo.png
2 answers
solution1
3 2020-02-24 13:43:00
One approach is to use HttpRuntime.AppDomainAppVirtualPath instead of the special tilde syntax. So the example from above...
Instead of:
ResolveUrl( "~/Images/logo.png" )
We would have:
HttpRuntime.AppDomainAppVirtualPath.TrimEnd( '/' ) + "/Images/logo.png"
Slightly less concise but seems to accomplish the same thing without invoking the ancient "cookieless" route parsing.
solution2
-1 2020-07-08 10:43:23
Use ResolveClientUrl instead of ResolveUrl . ResolveClientUrl will not allow XSS.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.