I'm looking for an example of an XSS vulnerability that would be stopped just by using the AntiXSS Encoder 4.1 Beta as the runtime encoder (setting in system.web/httpRuntime). I would prefer something that doesn't require any explicit calls to AntiXss functions such as
@AntiXss.JavaScriptEncode(ViewBag.UserName)
I'm thinking something that would get by the ASP.NET blacklist but wouldn't make it through the AntiXSS whitelist, maybe something to do with alternate character sets or encoding?
I've tested UTF-7 vulnerabilities, but don't see any that seem to affect modern browsers.
Examples of reflected cross-site scripting attacks include when an attacker stores malicious script in the data sent from a website's search or contact form. A typical example of reflected cross-site scripting is a search form, where visitors sends their search query to the server, and only they see the result.
ASP.NET Core MVC provides an HtmlString class which isn't automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability.
There aren't any. Well, that's not entirely true, they aren't any that run on modern browsers.
The reason the SDL requires it is that using a safe list is inherently more secure - so if suddenly someone discovers a character that is problematic it may be already encoded (depending on the safe lists you configure).
hmm... I'm not following - antixss requires explicit calls unless you are talking of using .net 4s feature of specifying your own encoder and in turn calling off to it? In that case there is nothing known at this point that I'm aware of. Since AntiXss works off a whitelist there should be no issues, as everything but a few characters are encoded.
fyi - locally I can get utf-7 to work just fine:
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With