I am using clean URL for search. If the user types a single quote it says disallowed URI character. And I know how to enable a character for appearing in the URL. I want to know the security vulnerabilities on allowing certain characters like braces, quotes and others?
I want to know this by any means like explanation or external references.
I am assuming you are talking about "query string" part of the URL, if that is so then your framework is probably disallowing those characters to prevent SQL inject sort of attacks as in your code you may end up using those query string values to construct a SQL query and boom, your application is SQL injected.
Related
I have a querystring that is made up of 3 parts.
The first 2 parts are static but the last one is dynamic and can be any value.
Because keywords used in part of the querystring are blocked / denied by IIS I need to know how to allow a dynamic value for only the last part of the query string in Request Filtering in IIS 7.5
So for example:
in-content=knownvalue&out-content=knownwvalue&searchable= *this could be any word that is made up of characters, numbers, hyphens apostrophe's & signs etc.
Thanks in advance for any help guys.
Because keywords used in part of the querystring are blocked / denied by IIS I need to know how to allow a dynamic value for only the last part of the query string
I don't believe you can configure the default Request Validation on a per-parameter level at present, so to allow all input for a particular parameter you'd have to disable it.
(I would do that anyway because IIS Request Validation is a misguided bogus security measure that hides not solves injection problems.)
If you still wanted to do input filtering on a parameter-by-parameter basis afterwards, you could implement that in the application or by providing your own request validation (subclassing RequestValidation and pointing requestValidationType at that class). Application-specific input filtering is generally a good thing, but it is not the answer to injection XSS issues, for which the only effective solution remains correct escaping for the output context.
Anyone know how to prevent this IIS7.5 /aux path issue (work on IIS8). this is not a real 404 error !?! ex http://msdn.microsoft.com/aux
This is due to some built-in restrictions on URLs in IIS, which do not allow you to use names that have special meanings in the Windows file system, dating back all the way to the days of CP/M:
https://www.bitquabit.com/post/zombie-operating-systems-and-aspnet-mvc/
If you are using ASP.NET version 4 or later, you can use this setting in web.config to disable these URL restrictions:
<configuration>
<system.web>
<httpRuntime relaxedUrlToFileSystemMapping="true"/>
<!-- ... your other settings ... -->
</system.web>
</configuration>
This should be safe if you are sure there are is no direct mapping between parts of URLs and file system paths being done anywhere, in the web server, the framework or your own code and any third-party dependencies. This should usually be the case in a modern web application, but don't take my (or anyone's) word for it, unless they have solid proof, which I cannot provide here.
See also: http://haacked.com/archive/2010/04/29/allowing-reserved-filenames-in-URLs.aspx
If you are dealing with problems like this, it may mean that your application uses arbitrary text in the URL path that may be originally user input. This is a misguided design pattern used in so-called "REST" APIs in order to make URLs "pretty". You will probably also run into issues with percent-encoding, Unicode characters, trans-BNP Unicode characters (emoji!), Unicode normalization, case-insensitivity (along with the Turkish-i and Greek-something problem) and countless issues that are yet to be discovered.
REST is not about pretty URLs, and pretty URLs do not need to contain arbitrary text (and unless you are Wikipedia, you will have a hard time getting it right). Pretty URLs improving your Google ranking is controversial at best, if not a myth.
Here are some suggestions to redesign the URLs in your application:
Use unique IDs instead of names. Human-readable names should never be used as identifiers ever.
If you think you have to decorate your URLs with text (in addition to a unique ID), then "sanitize" the text part. For example, you can remove any non-ASCII characters and any characters with special meanings in URLs, whitespaces, etc., and replace sequences of disallowed characters with dashes. And of course, also replace the "forbidden" names such as aux. But, seriously, don't bother with "prettifying" URLs like this.
If it makes sense for your application, let the user specify the URL fragment, but use validation to limit what URLs are allowed. You can then enforce the fragment to be unique and use it as a unique ID, rather than just decoration.
If aux is a fixed part of your URLs, just replace it with something else.
Use query strings or POST requests for arbitrary user input. And of course, validate and sanitize it. Something like a search string should not be in the URL path.
If you disagree, or you have no choice in the matter, or no time to redesign your API, see https://stackoverflow.com/a/14771755/2279059
I have an ASP.NET form which has textbox. The user can enter any characters,numbers etc. I should not restrict the user to filter hazardous characters. But I need to prevent cross site scripting.
The user can enter any text like alert('hi') like this.
The data should be saved as its in DB. Also it should be return back and display in label in form as it is.
How can acheive this without cross site scripting
Well, I think you should consider some restriction on what users are allowed to enter. You don't want null bytes or non-printable characters do you? Even if you accept more than alphanumeric values, you should decide which characters are allowed and exclude the rest using a simple regular expression (with start and end anchors of course).
Then, the way to prevent XSS is to encode the value whenever you display it. There are a whole host of ways to do this, but using the AntiXSS class of the Microsoft Web Protection Library is the best if you ask me. You can encode the output based on whether you're rendering it within HTML elements, attributes, JavaScript, and so on.
How to safe gaurd a form against script injection attacks. This is one of the most used form of attacks in which attacker attempts to inject a JS script through form field. The validation for this case must check for special characters in the form fields. Look for
suggestions, recommedations at internet/jquery etc for permissible characters &
character masking validation JS codes.
You can use the HTML Purifier (in case you are under PHP or you might have other options for the language you are under) to avoid XSS (cross-site-scripting) attacks to great level but remember no solution is perfect or 100% reliable. This should help you and always remember server-side validation is always best rather than relying on javascript which bad guys can bypass easily disabling javascript.
For SQL Injection, you need to escape invalid characters from queries that can be used to manipulate or inject your queries and use type-casting for all your values that you want to insert into the database.
See the Security Guide for more security risks and how to avoid them. Note that even if you are not using PHP, the basic ideas for the security are same and this should get you in a better position about security considerations.
If you output user controlled input in html context then you could follow what others and sanitize when processing input (html purify, custom input validation) and/or html encode the values before output.
Cases when htmlencodng/strip tags (no tags needed) is not sufficient:
user input appears in attributes then it depends on whether you always (double) quote attributes or not (bad)
used in on* handlers (such as onload="..), then html encoding is not sufficient since the javascript parser is called after html decode.
appears in javascript section - depends on whether this is in quoted (htmlentity encode not sufficient) or unquoted region (very bad).
is returned as json which may be eval'ed. javascript escape required.
appears in CSS - css escape is different and css allows javascript (expression)
Also, these do not account for browser flaws such as incomplete UTF-8 sequence exploit, content-type sniffing exploits (UTF-7 flaw), etc.
Of course you also have to treat data to protect against other attacks (SQL or command injection).
Probably the best reference for this is at the OWASP XSS Prevention Cheat Sheet
ASP.NET has a feature called Request Validation that will prevent unencoded HTML from being processed by the server. For extra protection, one can use the AntiXSS library.
you can prevent script injection by encoding html content like
Server.HtmlEncode(input)
There is the OWASP EASPI too.
The Zend Framework Manual says the following:
60.3.1. Escaping Output
One of the most important tasks to
perform in a view script is to make
sure that output is escaped properly;
among other things, this helps to
avoid cross-site scripting attacks.
Unless you are using a function,
method, or helper that does escaping
on its own, you should always escape
variables when you output them.
Why 'always'? Why do I have to escape variables that have not been created or altered by user input?
Users aren't the only source of dodgy strings in output. Consider, for example, the apparently safe string "Romeo & Juliet" coming out of a database. No cross-site scripting there, you say? True enough. Stick it in a web page, however, and the raw ampersand could cause some interesting problems with validation, parsing, etc.
Output escaping isn't just to guard against malicious or accidentally borked input, it ensures that the output is thoroughly sanitised and treated as having no special meaning in the surrounding output format, whether that's HTML, XML, JSON or whatever.
As a rule, I would escape anything coming from user input, a data source or even calculations. You want the output to be predictable, escaping ensures that it is. If the value when converted to a string contains characters that break your desired markup, things would get messy.
If you're using a view, $this->escape($variableToEscape) should suffice.
Another thing is many times things that are hard coded one day become user or at least database generated another day. Its just better practice to manage output of variables in your code.
You could look at it this way: you should always HTML-encode variables, unless you know that they've already been encoded.
Say you have a variable that contains:
foo <b>bar</b>
If you know that it contains HTML tags, and you're okay with that, then you can say that this variable has already been properly HTML-encoded. You could even assign it to a different variable type to make the compiler aware of the distinction (Joel's idea), and have your output functions handle these types without escaping them.
Of course, this means that
foo & <b>bar</b>
is an incorrect value; you would need to ensure that it's:
foo & <b>bar</b>
I think the best practice here is always escape output unless you intend to output a raw HTML fragment. Even "safe" data can contain characters which need to be escaped. For example, consider the e-mail address '"Bob" <bob#bob.com>'. If you don't escape it, the browser will think <bob#bob.com> is a tag.
Obviously you want to escape things that are the result of user data to prevent XSS attacks. Since you're often changing what you're republishing and what you're not, you probably can't remember all the places that need to be changed... So even if you get all the nuances correct now, and your site is secure from XSS scripting today, you may at some point may add user input to some variable you're not escaping (or more likely, some variable to some variable to some variable which you're not escaping), which would open you up to XSS attacks.
Escaping by default would prevent that attack.
The other reason is more conceptual: with MVC, all of your markup--which is, by definition, the "view"--should be in your view templates. So if your controller is determining the view, and the view contains all the markup, why not escape your variables?
Well, if you have hard-coded values (let's say language translations, which you read from a database or XML file), you don't have to escape them.
But if there is a value that has been created/modified by user, even let's say in admin panel, you have to escape it, because you don't know what kind of data user or if I'm more radical, even administrator, will send.