Share via


SECURITY Q&A #1

From a security perspective what's wrong with this code?

    1: <html>
    2: <head>
    3: <title>Welcome Page</title>
    4: <script language="JavaScript">
    5: function openNewWindow()
    6: {
    7:    window.open('<%=Server.HtmlEncode(Request.QueryString["URL"])%>');
    8: }
    9: </script>
   10: </head>
   11: <body>
   12: Welcome <%=Context.User.Identity.Name %>
   13: <br/>
   14: Click <a href="javascript:openNewWindow();">here</a> 
   15: to open the link in new window.  15: </body>  16: </html>

Answer: 2 bugs. I always start with input and see where it is going. We have two inputs here, one is from a query string (line 7) and the other one is from context (line 12). First lets start with line 7, it is very obvious that QueryString data is untrusted so the developer is encoding it using Server.HtmlEncode. But Server.HtmlEncode does not work inside JavaScript as it does not encode all bad characters, thus this is a bug. For more information on what Server.HtmlEncode does check this https://blogs.msdn.com/cisg/archive/2008/08/28/output-encoding.aspx. Second input seems to be benign as it is just username which is usually simple. Wrong, in cases where user registers on the site, and wishes to give any username he wants he could very well put javascript in it which will in turn be returned by Identity.Name. Line 12 also need to be output encoded using AntiXss library.

More AntiXss Library blogs:

What is the Microsoft Anti-XSS Library-

Real World XSS Vulnerabilities in ASP.NET Code