Less-than or greater-than in URL breaking my website

Question

I was trying to break my ASP.NET website by entering HTML into the URL to check for XSS vulnerabilities, but it turns out it's worse than that:

I already went through allowing URLs with other symbols (such as +) by setting allowDoubleEscaping=true in my Web.config, but it seems this doesn't work for URLs containing <, >, and possibly more. I expect my custom 500 error page to show up using this implementation, but the site doesn't even get that far.

How can I allow these types of URLs through, and handle them with a generic error page?

Edit:

The closest I get to a stacktrace is this:

   at vReport2.User.get_Current() in z:\Scott\Projects\Visual Studio\C#\vReport2.1\vReport2.1\Models\User.cs:line 18
   at ASP._Page_Views_Shared__Layout_cshtml.Execute() in z:\Scott\Projects\Visual Studio\C#\vReport2.1\vReport2.1\Views\Shared\_Layout.cshtml:line 35
   at System.Web.WebPages.WebPageBase.ExecutePageHierarchy()
   at System.Web.Mvc.WebViewPage.ExecutePageHierarchy()
   at System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage)
   at System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer)
   at System.Web.WebPages.WebPageBase.<>c__DisplayClass3.<RenderPageCore>b__2(TextWriter writer)
   at System.Web.WebPages.HelperResult.WriteTo(TextWriter writer)
   at System.Web.WebPages.WebPageExecutingBase.WriteTo(TextWriter writer, HelperResult content)
   at System.Web.WebPages.WebPageBase.Write(HelperResult result)
   at System.Web.WebPages.WebPageBase.RenderSurrounding(String partialViewName, Action`1 body)
   at System.Web.WebPages.WebPageBase.PopContext()
   at System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage)
   at System.Web.Mvc.RazorView.RenderView(ViewContext viewContext, TextWriter writer, Object instance)
   at System.Web.Mvc.BuildManagerCompiledView.Render(ViewContext viewContext, TextWriter writer)
   at System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context)
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionResult(ControllerContext controllerContext, ActionResult actionResult)
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilterRecursive(IList`1 filters, Int32 filterIndex, ResultExecutingContext preContext, ControllerContext controllerContext, ActionResult actionResult)
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilterRecursive(IList`1 filters, Int32 filterIndex, ResultExecutingContext preContext, ControllerContext controllerContext, ActionResult actionResult)

with the exception being thrown when I try to access HttpContext.Current.Session in a class.

as far as i know you could use < > even without enabling allowDoubleEscaping, is not like that ? — Behzad, Jul 05 '15 at 04:50
@Behzad Sadly that still causes the error, thank you though. — Scott, Jul 05 '15 at 04:51
@Dejan I've added the closest thing to a stacktrace that it gives me to my original post. — Scott, Jul 05 '15 at 05:31
Very surprising. Happens quite late when already a page is being rendered. So `vReport2.User` is your code I assume. Can you enable "break on exception" in VS and see what is going on there? What type of exception is it? And are you sure the website is running fine without that < otherwise? :) — Dejan, Jul 05 '15 at 05:36
Yep - [found the solution](http://stackoverflow.com/questions/5967103/a-potentially-dangerous-request-path-value-was-detected-from-the-client). I just had to remove < and > from the list Dave posted in that thread, and it's all fine & dandy now. It would still be nice to know how to handle this properly, rather than allowing the site to crash if a user decides to enter a bad character in the URL. If you post this as an answer, I'll accept :) — Scott, Jul 05 '15 at 05:48

score 2 · Accepted Answer · edited May 23 '17 at 12:14

2

Remove < and > from the requestPathInvalidCharacters list. See: https://stackoverflow.com/a/8597868/331281 .

For example, your web.config might look like this:

<system.web>
    <httpRuntime requestPathInvalidCharacters="&lt;,&gt;,%,&amp;,:,\,?" />
</system.web>

edited May 23 '17 at 12:14

Community

1
1

answered Jul 05 '15 at 05:59

Dejan

9,150
8
69
117

If you want to protect yourself against XSS vulnerabilities, then allowing potentially bad characters is not a good idea. You rather want to display some sort of error page when these invalid characters are present in your url. – Peter Hahndorf Jul 05 '15 at 07:15

score 0 · Answer 2 · answered Jul 05 '15 at 05:20

0

You should encript the url before opening it. and decrypt it while loading and can get the url parameter values

Use EncryptDecrypt logic to solve this issue

answered Jul 05 '15 at 05:20

Thanks! Interestingly enough, nowhere in my entire application have I told it to read URL params, so it must be something ASP.NET is doing behind-the-scenes that I have to work around. How would I accomplish this? – Scott Jul 05 '15 at 05:32

Less-than or greater-than in URL breaking my website

2 Answers2