How can I prevent an XSS vulnerability when using Flex and ASP.NET to save a file?

434 views Asked by At

I've implemented a PDF generation function in my flex app using alivePDF, and I'm wondering if the process I've used to get the file to the user creates an XSS vulnerability.

This is the process I'm currently using:

  1. Create the PDF in the flex application.
  2. Send the binary PDF file to the server using a POST, along with the filename to deliver it as.
  3. An ASP.NET script on the server checks the filename to make sure it's valid, and then sends it back to the user as an HTTP attachment.

Given that, what steps should I take to prevent XSS?

2

There are 2 answers

2
Ben Walther On

Are there any other GET or POST parameters other than the filename?

In preventing XSS, there are three main strategies: validation, escaping, and filtering.

Validation: Upon detecting nvalid characters, reject the POST request (and issue an error to the user).

Escaping: Likely not applicable when saving the file, as your OS will have restrictions on valid file names.

Filtering: Automatically strip the POST filename parameter of any invalid characters. This is what I'd recommend for your situation.

Within the ASP.NET script, immediately grab the POST string and remove the following characters: < > & ' " ? % # ; +

0
Jan Jongboom On

How is this going to be XSS exploitable? You aren't outputting something directly to the user. The filesystem will just reject strange characters, and when putting the file on the output stream, the name nor the content does matter.