I have an HTTP Handler set up in the HttpHandlers section of my web.config as follows:
<add path="myNamespace.myHandler.axd" verb="*" type="myNamespace.myHandler, myNamespace" validate="false"/>
A PCI scan has highlighted a vulnerability within this handler, which opens it up to XSS attacks. Basically you can pass a tag in via the querystring and the httphandler dumps the tag straight into the response in its raw format - ouch!
I don't have access to the source code for this handler, so I have been trying to close this vulnerability using asp.net with the following tag:
<location path="myNamespace.myHandler.axd">
<system.web>
<pages validateRequest="true">
</pages>
</system.web>
</location>
This however is not working. The querystring is not being validated, and the tags are still getting through.
I am running IIS7 with asp.net 3.5.
Can anyone help?
Cheers, Pat
As far as I know, there is no easy way to enable request validation for a generic http handler in asp.net 3.5 using configuration settings. There are however some validation methods introduced in .net 1.1 which I believe (not 100% sure of this) are the same criteria used in default request validation.
4.0 introduced default request validation across the board with the option to revert to 2.0 settings.
As I see it you have two options: