3

Considering I parse user input, which is supposed to be an email address, into the MailAdress class:

var mailString = Request.QueryString["mail"];
var mail = new MailAddress(mailString);

Is there any possibility left for a cross-site-scripting attack if I output the MailAddress object later in any way? For example through a Literal control in WebForms:

litMessage.Text = "Your mail address is " + mail.Address;

Is it necessary to sanitize the outpout even though I made sure that the address is a valid email address by parsing the string?

From what I could gather the RFC for mail addresses is pretty complicated, so I am unsure if cross site scripts can be hidden in a mail address considered valid by .NET.

EDIT:
MSDN says that > and < brackets are allowed in an email address:

The address parameter can contain a display name and the associated e-mail address if you enclose the address in angle brackets. For example: "Tom Smith <tsmith@contoso.com>"

So the question remains if this is enough for an XSS attack and/or if the MailMessage class does anything to escape dangerous parts.

magnattic
  • 12,638
  • 13
  • 62
  • 115

2 Answers2

0

Generally speaking, you shouldn't need to validate the output later. However, I always recommend that you do so for the following reasons:

  1. There may be a hole somewhere in your app that doesn't validate the input properly. This could be discovered by an attacker and used for XSS. This is especially possible when many different devs are working on the app.
  2. There may be old data in the database that was stored before implementing/updating your filter on the input. This could contain malicious code that could be used for XSS.
  3. Attackers are very clever and can usually figure out a way to beat a filter. Microsoft puts a lot of attention on preventing this, but it's never going to perfect. It makes the attackers job that much harder if they face and outgoing filter as well and as incoming filter.

I know it's a pain to constantly filter, but there is a lot of value in doing so. A Defense-in-Depth strategy is necessary in today's world.

Edit:

Sorry I didn't really answer the second part of your question. Based on the documentation I don't get the impression that the API is focused on sanitizing as much as it is on verifying valid formatting. Therefore I don't know that it is safe to rely on it for security purposes.

However, writing your own sanitizer isn't terribly hard, and you can update it immediately if you find flaws. First run the address through a good RegEx filter (see: Regex Email validation), then recursively remove every nonvalid character in an email address (these shouldn't get through at this point but do this for comprehensiveness and in case you want to reuse the class elsewhere), then escape every character with HTML meaning. I emphasize the recursive application of the filter because attackers can take advantage of a non-recursive filter with stuff like this:

<scr<script>ipt>

Notice that a nonrecursive filter would remove the middle occurence of <script> and leave the outer occurrence in tact.

Community
  • 1
  • 1
Freedom_Ben
  • 11,247
  • 10
  • 69
  • 89
  • Whats the point of using an additional regex filter if the MailAddress class already makes sure that only valid strings are accepted? My question is if valid email addresses can contain XSS attacks which might slip through the validation this way. Of course you are right when you say that it is never a bad idea to escape html characters when creating output. However I want to know if this kind of attack would be even possible if one uses a `MailMessage` object. Its never a bad idea to know what options a possible attacker might have. – magnattic Apr 16 '13 at 18:21
  • You are correc that you shouldn't need to add a regex filter when using the `MailAddress` class. I included it here for completeness of developing a sanitizer. That being said however in high security environments we do not like to trust proprietary/close source code, because we can't review it for vulnerabilities. For this reason we write our own. As for getting an attack through `MailMessage` I don't know of any attacks out there, but that doesn't mean it's impossible, especially if you use the class in a way it's authors didn't anticipate. – Freedom_Ben Apr 16 '13 at 18:35
  • If someone has an attack that works against `MailAddress`, they likely won't give it up because it is worth *a lot* of money in the underground. I just heard of a Java 7 hack being sold for $50,000. Once disclosed they are worthless. – Freedom_Ben Apr 16 '13 at 18:36
0

Is it necessary to sanitize the outpout

You don't 'sanitise' output, you encode it. Every string that you output into an HTML document needs to be HTML-encoded, so if there was a < character in the mail address it wouldn't matter - you'd get &lt; in the HTML source as a result and that would display correctly as a literal < on the page.

Many ASP.NET controls automatically take care of HTML-escaping for you, but Literal does not by default because it can be used to show markup. But if you set the Mode property of the Literal control to Encode then setting the Text like you're doing is perfectly fine.

You should make sure you always use safe HTML-encoded output every time you put content into an HTML page, regardless of whether you think the values you're using will ever be able to include a < character. This is a separation-of-concerns issue: HTML output code knows all about HTML formatting, but it shouldn't know anything about what characters are OK in an e-mail address or other application field.

Leaving out an escape because you think the value is 'safe' introduces an implicit and fragile coupling between the output stage and the input stage, making it difficult to verify that the code is safe and easy to make it unsafe when you make changes.

bobince
  • 528,062
  • 107
  • 651
  • 834