4

I have a page default.aspx
When user browses this page as -

www.mysite.com/default.aspx/?&#&emp=1']];alert(2);[['1

there is an alert pop up. To prevent such attack, I would like to get the entire string typed in the browser, but unable to.

[NOTE : As you see, the text after ? need not be a query string. Here it is random chars. If it was a query string, I could get that in code.]

protected void Page_Load(object sender, EventArgs e)
{
  string query = HttpContext.Current.Request.ServerVariables["URL"] +                      
                 HttpContext.Current.Request.ServerVariables["PATH_INFO"] + 
                 HttpContext.Current.Request.ServerVariables["QUERY_STRING"];
}

In 'query' I only get /default.aspx/default.aspx/&

How can I get the entire string typed in the address bar.

UPDATE:

HttpContext.Current.Request.Url.AbsoluteUri gives ?& HttpContext.Current.Request.Url.ToString() gives http://mysite/default.aspx/?&

This is not a duplicate of that Question, as my problem has chars, that are not query strings and also, the solutions in that Question did not resolve my problem. Thank you.

SOLUTION: Might help someone who have a similar concern. The fix was to deal this at Client side. I never knew that the part after # is not sent to the server side. Awesome suggestion by AmateurProgrammer & shadowed. Thank you

sukesh
  • 2,379
  • 12
  • 56
  • 111
  • 1
    How would obtaining the entire URL as a string prevent the attack? In any case, probably use [`Request.Url`](https://msdn.microsoft.com/en-us/library/system.web.httprequest.url(v=vs.110).aspx).. – user2864740 Feb 02 '16 at 07:18
  • 1
    did you tried `Request.Url`? – Irshad Feb 02 '16 at 07:21
  • Something like `HttpContext.Current.Request.Url.AbsoluteUri`? – Joachim Isaksson Feb 02 '16 at 07:21
  • @Serv. This is not a duplicate of that Question, as my problem has chars, that are not query strings and also, the solutions in that Question did not resolve my problem. – sukesh Feb 02 '16 at 07:28
  • 1
    I suppose you don't get the whole text because IIS/ASP.NET is indeed preventing an attack for you – Simon Mourier Feb 02 '16 at 07:59
  • 1
    If the part after `&` is being executed as JavaScript on the client side, how would it show up as a part of the URL on the server side at all? My suggestion is to detect this string and deal with it at the client side itself. – Bhushan Shah Feb 02 '16 at 08:03
  • @SimonMourier. That might be true. But I see this pop on my site which is live and hosted in IIS. – sukesh Feb 02 '16 at 08:06

1 Answers1

3

Part after # (including #) is URI fragment and it is not sent to the server by standard. It is supposed to be used by browser and if there is element with id equal to fragment browser will scroll to it. Nowadays, it is also used as a way to pass parameters to JavaScript on the page. It is possible to get fragment at server indirectly by sending it by JavaScript but it is only after page is loaded.

Shadowed
  • 956
  • 7
  • 19