0

I maintain an asp.net 4.0 application, not MVC, based on some close source and I must implement some anti-xss in query parameters it uses. I can't access all the code and altering all the components is out of question. I can't upgrade the .net version, also. Does it make sense to try to rewrite the path to encode/escape the query strings in order to encode the query strings, to avoid some xss injection using them? Could it be done as the browsers do? Could it be done to encode when needed only, avoiding an infinite loop?

Improve this question
5
  • One “level” of URL encoding will already be applied by the browser, if necessary. And either by the web server or your application itself, that level will be decoded again, to get the real values. To prevent any harm in terms of XSS, you would have to apply a second level, URL-encode the already URL-encoded values a second time. But then your application will likely not know what to do even with regular, “good” input any more. So unless you can specifically identify certain harmful “patterns”, to only apply a second level of URL encoding very specifically, I think this makes little sense. Commented Oct 9, 2019 at 11:06
  • Well, this would be intended for attacks done with other tools than browsers. This is a part of the challenge. I've seen code snippets doing decode-encode for this, like undoing the browser job and doing it to be sure it is applied. Still, it is unclear to me how to do this on the server side after calculating the new url (actually I need the path with the query strings in my case). It is also unclear if path rewrite + redirect is possible and correct, or any of those alone. Any thoughts? Commented Oct 9, 2019 at 16:36
  • Well there is the B flag, that “instructs RewriteRule to escape non-alphanumeric characters before applying the transformation.” The example in the manual only covers the query string, but I guess this applies to any part of the URL where you insert a back reference. But I still wouldn’t hazard a guess if that would even help, resp. could be done in a way that does not destroy / falsify regular data. Commented Oct 10, 2019 at 6:23
  • Is this for Apache? I must/have to use IIS... Commented Oct 10, 2019 at 10:08
  • Uh, yes, that Apache. Don’t know what the equivalent for IIS would be. Commented Oct 10, 2019 at 10:10
Related questions
0
escaping URL request? ASP.NET C#
304
Get escaped URL parameter
81
What characters must be escaped in an HTTP query string?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.