ASP.NET - Security Reflected XSS problem with some codes

6k views Asked by At

Here where I work they use an application called checkmarx to analyze the security of the application

In one of these analyzes the application detected the following problems:

Reflected XSS All Clients:

The application's GetBarcosNaoVinculados embeds untrusted data in the generated output with Json, at line 1243 of .../Controllers/AdminUserController.cs. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output. The attacker would be able to alter the returned web page by simply providing modified data in the user inputusuarioId, which is read by the GetBarcosNaoVinculados method at line 1243 of .../Controllers/AdminUserController.cs. This input then flows through the code straight to the output web page, without sanitization.

public JsonResult GetBarcosNaoVinculados(string usuarioId)              
.....
.....
 return Json(barcosNaoVinculados, JsonRequestBehavior.AllowGet)

Elsewhere in the system it gives the same problem but with these two methods

The application's LoadCodeRve embeds untrusted data in the generated output with SerializeObject, at line 738 of .../BR.Rve.UI.Site/Controllers/InfoApontamentoController.cs. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious codeinto the output.The attacker would be able to alter the returned web page by saving malicious data in a data-store ahead oftime. The attacker's modified data is then read from the database by the Buscar method with Where, at line 78 of .../Repository/Repository.cs. This untrusted data then flows through the code straight tothe output web page, without sanitization.

public virtual IEnumerable<TEntity> Buscar(Expression<Func<TEntity, bool>>predicate)
   return Dbset.Where(predicate);

public string LoadCodeRve()
  return JsonConvert.SerializeObject(items);

It seems that it has to do with the treatment given to the JSON format, would anyone know how to treat this type of problem?

1

There are 1 answers

2
securecodeninja On BEST ANSWER

As the warning message indicates, you need to perform either some form of input validation (or sanitization), and also as a secure coding best practice - output encoding before rendering the output into the page. Checkmarx searches for the existence of these "sanitizers" and these are predefined in their Checkmarx query. One for instance is the use of the AntiXSS libraries (i.e. JavascriptEncode function)

The two critical lines to look out for is already pointed out by Checkmarx:

return Json(barcosNaoVinculados, JsonRequestBehavior.AllowGet)

and

return JsonConvert.SerializeObject(items);

whichever pages these values (JSON or String) are going to end up, they needed to be escaped. Now depending on the templating engine you are using, you might already get instant XSS protection. For example, "The Razor engine used in MVC automatically encodes all output sourced from variables, unless you work really hard to prevent it doing so." and unless of course you used the Html.Raw helper method.

As promoters of application security we believe in not trusting the input and having layers of defenses so my suggestion is to explicitly indicate that you want to encode the output by passing in JsonSerializerSettings argument:

return JsonConvert.SerializeObject(items, new JsonSerializerSettings { StringEscapeHandling = StringEscapeHandling.EscapeHtml });

The only dilemma here is that Checkmarx might not recognize this is as a sanitizer because it may not be in their predefined list of sanitizers. You could always present this solution as an argument to the Security team that is running the Security scans

For the case of the JsonResult return, you may want to javascript encode the barcosNaoVinculados variable:

return Json(HttpUtility.JavaScriptStringEncode(barcosNaoVinculados), JsonRequestBehavior.AllowGet)

Now, this too Checkmarx may not recognize. You can try using the ones that Checkmarx recognizes (i.e. Encoder.JavascriptEncode or AntiXss.JavascriptEncode) but I don't think these Nuget packages will work in your project type