Cross-Site Scripting...

Discussion in 'ASP .Net' started by Scott M., Dec 22, 2003.

  1. Scott M.

    Scott M. Guest

    How can I disable the cross-site scripting check for one particular page of
    a site?
     
    Scott M., Dec 22, 2003
    #1
    1. Advertising

  2. Scott M.

    George Durzi Guest

    In the Page directive, insert ValidateRequest="False"

    It's set to True by default in v1.1


    "Scott M." <> wrote in message
    news:...
    > How can I disable the cross-site scripting check for one particular page

    of
    > a site?
    >
    >
     
    George Durzi, Dec 23, 2003
    #2
    1. Advertising

  3. Scott M.

    Scott M. Guest

    Here's my situation though.

    I develop on VS.NET 2002 and upload my project to my web hosting provider
    who uses the 1.1 framework.

    When I add the validateReqest = "False" directive into my code, it does
    nothing because I am compiling against the 1.0 framework.


    "George Durzi" <> wrote in message
    news:...
    > In the Page directive, insert ValidateRequest="False"
    >
    > It's set to True by default in v1.1
    >
    >
    > "Scott M." <> wrote in message
    > news:...
    > > How can I disable the cross-site scripting check for one particular page

    > of
    > > a site?
    > >
    > >

    >
    >
     
    Scott M., Dec 23, 2003
    #3
  4. Scott M.

    MSFT Guest

    Hi Scott M,


    Thank you for using Microsoft Newsgroup Service. Based on your description,
    you're looking for some information on "preventing the Cross-Site
    Scripting". This is a security issue which concerned with the client side
    browser and data communication with the serverside. It is unlike some other
    serverside attributes that can be configured or set simply on serverside.
    I've reviewed for some references on this issue, here are some tech
    articles in the MS Knowlege base library which
    has provided detailed explaination on it:

    HOWTO: Prevent Cross-Site Scripting Security Issues View products that this
    article applies to.
    http://support.microsoft.com/?id=252985

    Preventing Internet Explorer and Outlook Express Cross-Site Scripting
    Security Issues
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;253117

    Please have a look to see whether they help you. If you have any questions
    on it, please feel free to let me know.


    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    MSFT, Dec 23, 2003
    #4
  5. Scott M.

    Scott M. Guest

    Thanks for your reply. I am aware of what cross-site scripting is and its
    potential dangers are. I need to deactivate it for one page only and that
    page is password protected.

    My application is built using VS.NET 2002 but is being run on a server that
    runs the 1.1 framework so when I add the page level ValidateRequest="False",
    nothing happens because I am compiling with the 1.0 framework.

    Any suggestions how to turn it off for this one page in my circumstance?

    Thanks.


    "MSFT" <> wrote in message
    news:...
    > Hi Scott M,
    >
    >
    > Thank you for using Microsoft Newsgroup Service. Based on your

    description,
    > you're looking for some information on "preventing the Cross-Site
    > Scripting". This is a security issue which concerned with the client side
    > browser and data communication with the serverside. It is unlike some

    other
    > serverside attributes that can be configured or set simply on serverside.
    > I've reviewed for some references on this issue, here are some tech
    > articles in the MS Knowlege base library which
    > has provided detailed explaination on it:
    >
    > HOWTO: Prevent Cross-Site Scripting Security Issues View products that

    this
    > article applies to.
    > http://support.microsoft.com/?id=252985
    >
    > Preventing Internet Explorer and Outlook Express Cross-Site Scripting
    > Security Issues
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;253117
    >
    > Please have a look to see whether they help you. If you have any questions
    > on it, please feel free to let me know.
    >
    >
    > Steven Cheng
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
     
    Scott M., Dec 23, 2003
    #5
  6. Hi Scott M,

    Thank you for the prompt response. Yes, the "ValidateRequest" attribute is
    used in ASP.NET1.1, in 1.0 you need to manually add custom methods or
    machism to implement the cross-site scripting check. So I don't think that
    you need to do anything by default? Also, you've mentioned that you've a
    certain page which need to disable the cross-scripting check, would you
    please provide more information about what you'd like to do on this page
    and what's the problem you encountered when run the funcionality on that
    page? And here is a weblink for how to implement "cross-site scripting
    check" manually in ASP.NET1.0, you may have a look to see whether it'll
    provide some ideas.:
    http://msdn.microsoft.com/library/en-us/dnaspp/html/scriptingprotection.asp?
    frame=true

    In the mean time, I'll do further research on this issue. If you have any
    questions or new findings, please feel free to let me know, thanks.


    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Dec 23, 2003
    #6
  7. Scott M.

    Scott M. Guest

    Hi Steven,

    Thanks for your help. I think you've got my situation backwards. I don't
    want to implement a cross-site scripting check in my application. I'm
    already getting that functionality (because my application which was written
    and compiled in the 1.0 Framework) is running under the 1.1 Framework.

    What I need to do is "disable" this inherent cross-site scripting check for
    one particular page of mine. I have tried adding the page directive of
    validateRequest="false", but this does not disable the check.

    I have one page in my site that is password protected to get to which allows
    me to (using a DataGrid) modify SQL Server data that is used on a different
    page and rendered in a Calendar control. I need to be able to add HTML to
    the SQL data, so that when it appears on the calendar, it appears as I want
    it to.

    I have put a temporary fix in place. Instead of me entering "<" and ">"
    characters, I enter "[" and "]" characters and once the form data is
    submitted, I convert "[" to "<" and "]" to ">". This works, but it is
    clumsy.


    "Steven Cheng[MSFT]" <> wrote in message
    news:...
    > Hi Scott M,
    >
    > Thank you for the prompt response. Yes, the "ValidateRequest" attribute is
    > used in ASP.NET1.1, in 1.0 you need to manually add custom methods or
    > machism to implement the cross-site scripting check. So I don't think that
    > you need to do anything by default? Also, you've mentioned that you've a
    > certain page which need to disable the cross-scripting check, would you
    > please provide more information about what you'd like to do on this page
    > and what's the problem you encountered when run the funcionality on that
    > page? And here is a weblink for how to implement "cross-site scripting
    > check" manually in ASP.NET1.0, you may have a look to see whether it'll
    > provide some ideas.:
    >

    http://msdn.microsoft.com/library/en-us/dnaspp/html/scriptingprotection.asp?
    > frame=true
    >
    > In the mean time, I'll do further research on this issue. If you have any
    > questions or new findings, please feel free to let me know, thanks.
    >
    >
    > Steven Cheng
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    >
    >
    >
     
    Scott M., Dec 23, 2003
    #7
  8. Hi Scott M,

    Thank you for your prompt response. First I'd appologize for
    misunderstanding your problem. Now, I've got that you've got a single page
    which want to get rid of the "request validate" provided by ASP.NET,yes?
    After reviewing the situation you mentioned in the preceding reply. I
    thought that the main problem is that your page is compiled under dotnet
    framework1.0 and now the enviroment is 1.1. Since in ASP.NET 1.0 there is
    no "request validate" for pages, so all the compiled page class(assembly)
    didn't have any infomation for this. But because your deplyment enviroment
    is 1.1 version, then the ASP.NET runtime will check the page class for the
    "validaterequest" information, but it can't find since nothing is set in
    1.0, so the ASP.NET runtime use the default setting in the web.config ,if
    no setting in the web.config, then use the default setting in the
    machine.config, the default value is requestValidate="true". Then you will
    encountered the requestvalidate exception such as
    ------------------------------------------------------------------exception
    occured--------------------------------
    A potentially dangerous Request.Form value was detected from the client
    (txtTagContent="<adfd>").
    Description: Request Validation has detected a potentially dangerous client
    input value, and processing of the request has been aborted. This value may
    indicate an attempt to compromise the security of your application, such as
    a cross-site scripting attack. You can disable request validation by
    setting validateRequest=false in the Page directive or in the configuration
    section. However, it is strongly recommended that your application
    explicitly check all inputs in this case.
    ----------------------------------------------------------------------------
    --------------------------------------------

    Is the situation I described same as yours? Please let me know if there is
    anything different.

    If so, here is some of my suggestions:

    1. Since the "validateRequest" page attribute could only set for ASP.NET
    1.1 's page, do you think it possible that you recompile the page classes
    under 1.1 framework?

    2. If you it really unconfortable for you to recompile the pages again,
    I've another way to workaround this problem. Since the default value of
    "validateRequest" can be set in web.config file. We can take advantage of
    this feature to set the default value as "false". However, you may think
    that it'll cause all the pages having no requestvalidate checking. Yes, but
    in ASP.NET web applications there can be more than one web.config files as
    long as they are in different folders. So my suggestion is to create a
    separate sub folder , and put a certain web.config file particularly for
    the subfolder,
    For example, my web application's root folder is "MyWebApp", it has some
    pages and a web.config file, then, I create another sub folder named
    "noncheck" and also provide a web.config file in it. The file structure is
    like:

    wwwroot/MyWebApp
    web.config
    ...some asp.net pages
    /noncheck
    singlenocheck.aspx
    web.config

    the "singlenocheck.aspx" is the page which need no "requestValidate" check.
    Then,in the "MyWebApp" folder's web.config file , we set the
    requestvalidate as ture,just add this:
    <pages
    validateRequest="true"/>

    in the "noncheck" subfolder's web.config file , we set as below:
    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>

    <system.web>

    <pages
    validateRequest="false"/>

    </system.web>

    </configuration>

    Thus, when we request the pages in the root folder, the ASP.NET runtime
    will have the requestvalidate check, and if we request the
    "singlenocheck.aspx" in the "noncheck" folder , it will apply the setting
    the subfolder's web.config, it won't check the request data.

    Please try the preceding suggestions to see whether they help. If you have
    any new findings please also let me know. Thanks.


    Merry Christmas!!

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Dec 24, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Earl Teigrob
    Replies:
    0
    Views:
    554
    Earl Teigrob
    Feb 18, 2004
  2. =?Utf-8?B?QnJhZCBRdWlubg==?=

    Cross site scripting

    =?Utf-8?B?QnJhZCBRdWlubg==?=, Apr 27, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    439
    Brock Allen
    Apr 28, 2005
  3. Replies:
    3
    Views:
    816
  4. Qaurk Noble

    Preventing Cross Site Scripting

    Qaurk Noble, Dec 11, 2003, in forum: Java
    Replies:
    0
    Views:
    417
    Qaurk Noble
    Dec 11, 2003
  5. Replies:
    3
    Views:
    785
    Lee Harr
    Jun 16, 2006
Loading...

Share This Page