Web Connection
Ironic response to .NET XSS prevention
Gravatar is a globally recognized avatar based on your email address. Ironic response to .NET XSS prevention
  Stein Goering
  All
  Jul 13, 2022 @ 11:24pm

Under the .NET Handler, querystring content is pre-filtered for potential cross-site scripting attacks. If it detects suspicious characters, it stops the request and we get a warning like this:

Unknown application error<p>A potentially dangerous Request.QueryString value was detected from the client. 

It then echoes back the offending string. (e.g. "").

Unfortunately, a number of security scanners (most notably QualysGuard) see that reflected payload string as a sign of a successful penetration. That results in a security report with dozens of pages flagged as vulnerable to XSS, which of course alarms our customers.

Is there any way to modify that filter behavior, either to prevent it from displaying the string, or to sanitize the dangerous characters?

--stein

Gravatar is a globally recognized avatar based on your email address. re: Ironic response to .NET XSS prevention
  Rick Strahl
  Stein Goering
  Jul 14, 2022 @ 09:22am

That's actually coming from IIS not from the handler - the request filtering module is part of the ASP.NET pipeline.

What is the actual response? That's a perfectly legal response to a failure, so if that's what the scanners are picking up they're not doing their job. The text might be returned but it's encoded so no XSS potential.

+++ Rick ---

© 1996-2022