I'm testing my MVC3 web app for XSS attacks and I'm noticing a weird behavior with the default ValidateRequest in .Net
I have a form with a few text fields and when I enter a 'dangerous' string such as:
<img src=x onerror=alert(/XSS/.source)>
I see the "A potentially dangerous Request.Form was detected..." message pop up as expected.
My understanding is that this validation will automatically cancel the request and no changes will take place. However, when I refresh the page, I'm seeing that the text field in question now displays a value of 'ED7F9'
Something similar occurs if I try to save a value of <script>alert("hi")</script>. In this case, after the validation message, the remaining text in the field is: "alert("
Has anyone seen this before of have any clues as to why this is happening?
Related
I've started using AntiForgeryToken in some of my forms to prevent cross site request forgery. However I am getting some weird behaviour and just wanted to clarify whether this is a bug or just me doing something wrong. I am using the Html.AntiForgeryToken() call in my form. I then use the [ValidateAntiForgeryToken] attribute in the action method that the form posts to. I'm not using a salt at this point.
My understanding is that Html.AntiForgeryToken() generates a hidden input with a name of __RequestVerificationToken and a cookie named __RequestVerificationToken_Lw__, which should both contain the same value.
The behaviour I am experiencing however is that:
The cookie always has the same value no matter how many times you
GET the page
The hidden input has a different value every time you GET the page
The ValidateAntiForgeryToken validates every time, even from a
different site in a CSRF scenario.
If I change the value of the hidden input in the foreign site, the
token doesn't validate (expected behaviour, but why does it validate
when the hidden input/cookie value is different?)
Anyone got any ideas?
For number 3, are you including the hidden field in your CSRF scenario?
The safety of the AntiForgeryToken is that the hidden input exists only in the page served by your domain, and cannot be copied or captured by another domain. If you have mocked up a test which passes the hidden input, then that is not a valid test.
I suggest you read this article from Phil Haack: Anatomy of a Cross-site Request Forgery Attack
I m new to struts2. I am doing client side validation for my form. The error messages for validations that i wrote in properties file are repeated each time i submit.
e.g.
First submit
username required
Second submit
username required
username required
Please tell me how to clear previous error messages?
You should give example from your code. There is a document about Struts2 client side validation and about Ajax Validation there writes:
clearValidationErrors(formNode) : Removes validation errors from a form
so you can try to do it.
If you are using a table on ur jsp to display the form, then make sure that the table is a parent of the form tag. If the table is a child of form tag, the validation messages wont get cleared each time. Making the form tag as a child of table tag would solve your problem.
If you are using the spring integration you have to define your bean as scope="prototype", then you get a new instance of your Action for every request.
It's a good idea to do this for every Action.
basically, im calling Html.TextAreaFor to display a form, which is great/not a problem...
people enter text in it, and it gets submitted, and if it is successful, i want to return an empty Html.TextAreaFor... but after it's submitted, in the action method i am clear to set the Comment that people are making in the TextArea to an empty string "", however, when it's loaded, it always has the text from the previous load.
i am loading everything in ajax by just updating a Div... and to make sure everything is normal, i have (as a text) a normal Html.TextArea where i specify the name and value. the Html.TextArea is right under the Html.TextAreaFor and acts exactly as it should, but the Html.TextAreaFor for some reason is not!
this is strange because i am reloading the entire DIV which the form is contained in, from a PartialView, at evey submission!!
im also making sure the div is loading with a typical system.datetime.now string returned with everything, and the mentioned Html.TextArea working as it should, it's driving me insane... am i missing something guys? are there any perculiar properties about ...For's that i should be aware of?
Try clearing the ModelState object, which is the HTML helpers read the value from.
Also see What am I misunderstanding about how Html.TextBoxFor works?.
There is a study here my co-worker took to my notice. Basically, that in-line form validation is a good thing.
But how would you do in-line multi-field form validation in MVC assuming you already have a "yield return" setup to return a list of form violations? Is the in-line validation only for primitive values like "a zip code should not include alpha characters?"
Would you submit some Javascript code to the client that checks that "this field and this field should be evaluated together firing this validation, and oh by the way, we are going to validate all fields again on a final submit?
Anyone have code example (C# and MVC) to illustrate handling in-line multi-field form validation using a remote repository (but not all fields at one time)?
I don't have any code but if I was going to do inline validation I would implement the validation sample in Nerd Dinner.
Clearly this would validate on a submit so not really useful to your question. However, if you couple it with jQuery then it does become useful.
Essentially I'd be doing a jQuery postback at key points, checking for validation errors, and then highlighting the errors to the user in the callback.
You can attach events to say the lost focus events of fields that have a certains style class or to all fields etc. Really quite extensible in that regard.
There are tons or samples on jQuery and how to post back etc.
I'd also still be doing the full validation check on postback as well just to catch anything that may have been missed.
Does this help?
I added:
<pages validateRequest="false">
to my web.config but I am still getting the error:
A potentially dangerous Request.Form value was detected from the
I added it to the view page also and still getting the error.
How can this be?
In MVC, request validation has to be done at the controller level instead of at the page level because the controller is processing input, not the page. If request validation were done at the page level, then the controller would happily process malicious input (and potentially commit it to the database!) before the validation check ever took place.
[ValidateInput(false)]