Menu
I have a textbox which is used for searching the data within the site. What my client wants that,
1)Enter any text in the search field and click the search symbol.
2)The request going to the server using a web proxy tool like "Burp"
3)Append the parameter with the script present as
test<~script>confirm(123)<~/script>
what happens here is
The XSS script entered by the advesary gets reflected in the response without any input. Please see the image below you will get an idea:-
![enter image description here][1]
Guys, let me know if you need any more information related to it. Please help guys, Any help would be appreciated. I want to stop the attack from server side.
HTML and JS code:-
<asp:TextBox ID="txtSearch" runat="server" class="txtfld-search" oncopy="return false" oncut="return false" onpaste="return false"></asp:TextBox>
JS code:-
<script type="text/javascript">
$(document).ready(function () {
$('#ctl00_topNavigation_txtSearch').keyup(function () {
var $th = $(this);
$th.val($th.val().replace(/[^.%a-zA-Z0-9 ]/g,
function (str) {
alert('Special characters not allowed except %');
return '';
}));
});
});
Also see the code behind:-
protected void btnSearch_Click(object sender, ImageClickEventArgs e)
{
Response.Redirect("search.aspx?tx=" + txtSearch.Text);
}
Also, see the code for the searching part:-
private void SearchResult()
{
DataTable dt;
if (Session["Search"] == null)
{
ResXResourceReader reader = new ResXResourceReader(Server.MapPath("~/App_GlobalResources/Strings.en-US.resx"));
IDictionaryEnumerator id = reader.GetEnumerator();
string sResourceFile = Server.MapPath("~/App_GlobalResources/Strings.en-US.resx");
XmlDocument xmlResource = new XmlDocument();
xmlResource.Load(sResourceFile);
XmlNodeList elmData = xmlResource.SelectNodes("//root/data");
dt = new DataTable();
dt.Columns.Add(new DataColumn("ID", System.Type.GetType("System.String")));
dt.Columns.Add(new DataColumn("Title", System.Type.GetType("System.String")));
dt.Columns.Add(new DataColumn("Description", System.Type.GetType("System.String")));
dt.Columns.Add(new DataColumn("Url", System.Type.GetType("System.String")));
dt.Columns.Add(new DataColumn("Link", System.Type.GetType("System.String")));
foreach (XmlElement element in elmData)
{
DataRow dr = dt.NewRow();
dr["ID"] = element.GetAttribute("name");
//dr["Title"] = element.GetAttribute("name");
XmlNodeList sDescription = element.SelectNodes("value");
dr["Title"] = sDescription.Count > 0 ? sDescription.Item(0).InnerText : string.Empty; ;
dr["Description"] = string.Empty;
XmlNodeList sUrl = element.SelectNodes("comment");
if (sUrl.Count > 0)
{
Int32 sPgTitle = sUrl.Item(0).InnerText.LastIndexOf(".") + 1;
if (sPgTitle > 0)
{
dr["Url"] = sUrl.Item(0).InnerText;
//dr["Url"] = Request.Url.Host.ToLower() + "/rbank/" + sUrl.Item(0).InnerText;
dr["Link"] = string.Empty;
}
else
{
dr["Link"] = sUrl.Item(0).InnerText;
}
dt.Rows.Add(dr);
}
}
//foreach (DataRow dr in dt.Rows)
//{
// DataRow[] rDesc = dt.Select("Link <> ''");
// for (int i = 0; i < rDesc.Length; i++)
// {
// DataRow[] rTitle = dt.Select("ID = '" + rDesc[i]["Link"] + "'");
// if (rTitle.Count() > 0)
// {
// rTitle[0]["Description"] = rDesc[i]["Title"];
// }
// }
//}
DataRow[] drDelete = dt.Select("Link <> ''");
foreach (DataRow drCheck in drDelete)
{
dt.Rows.Remove(drCheck);
}
dt.TableName = "FilterValues";
reader.Close();
Session["Search"] = dt;
}
else
{
dt = Session["Search"] as DataTable;
}
DataView dv = new DataView();
dv.Table = dt;
**dv.RowFilter = "Description LIKE ('%" + Request.QueryString["tx"].Trim().ToLower() + "%') or Title LIKE ('%" + Request.QueryString["tx"].Trim().ToLower() + "%')";**
dv.Sort = "Title ASC";
dgrdPages.DataSource = dv;
dgrdPages.DataBind();
lblSearchWords.Text = Request.QueryString["tx"].Trim();
lblFilesFound.Text = dv.Count.ToString();
}
I found that dv.RowFilter can be given as some SQL Injection like that. I want to prevent that. Please help.
586
Examples of reflected cross-site scripting attacks include when an attacker stores malicious script in the data sent from a website's search or contact form. A typical example of reflected cross-site scripting is a search form, where visitors sends their search query to the server, and only they see the result.
XSS attacks may be conducted without using <script>... </script> tags. Other tags will do exactly the same thing, for example: <body onload=alert('test1')> or other attributes like: onmouseover , onerror .
How does XSS work? Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.
As mentioned by other friends clientside code can easily be neglected. So we can translate what you have done with javascript into c# like this with an addition of mine which is to remove extra spaces and merge them into one:
if (Regex.IsMatch(txtSearch.Text, "[^a-zA-Z0-9 %]"))
{
//error
Response.Redirect("Error.aspx?tx=It's a Shame Dude!");
}
else
{
//Remove multiple spaces
String ClearSpaces = Regex.Replace(txtSearch.Text, @"\s+", " ");
Response.Redirect("search?tx=" + HttpUtility.UrlEncode(ClearSpaces));
}
Not to forget, the regex is coming from: this answer. And the regex for replacing multiple spaces is coming from this answer.
100
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
