1

I have a Classic ASP page(Like below),

/Test.asp?url="%0a%0dmsgbox("Test%20XSS")%0a%0ddim%20test%0a%0dtest="

We are passing URL as Query string.But when we pass the above parameter, it is displaying the message(because of msgbox) before the page loads.

Is there any way that we can stop executing the script in the query parameter? i.e secure the query string.

Thanks in advance for the help.

PraneethArnepalli
  • 33
  • 2
  • 10
  • Yep don't inject query parameters into client side script without sanitising them first. – user692942 May 05 '16 at 00:11
  • 1
    You need to post the relevant code that is "executing" the URL. It's not "executing" by itself. – Shadow The GPT Wizard May 05 '16 at 06:04
  • Actually, I was just adding a normal parameter to the query string(Like below). /Test.asp?url=google But if someone make the URL like the one I show in post, The page is displaying a message box. I think my page shouldn't show someone else's message. – PraneethArnepalli May 05 '16 at 17:30

1 Answers1

1

If you were outputting to HTML, use the Server.HTMLEncode.

<%=Server.HTMLEncode(Request.QueryString("url")) %>

However, it appears you are outputting to JavaScript.

The best way would be not to do this. See my question and the answer here, but basically use data- attributes so you can use the code above, and then fish out the value using JavaScript:

<div id="dataExample" data-url="<%=Server.HTMLEncode(Request.QueryString("url")) %>" />

Check out the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet for further information. This also has another way of doing it, but it is much more complex which always is inverse to security. This involves encoding using \x00 format. However, as this involves writing some custom code it means you cannot rely on any inbuilt functions, which means it is prone to error. I would heavily recommend the HTML approach.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • Thanks for the reply. I tried HTMLEncode and it didnt show any message on that page(Which technically solved my issue), but the page went blank showing any error message. is there any way we can still run the code? because I have written he code for exception. and currently it is not being executed. – PraneethArnepalli May 05 '16 at 17:40
  • Please edit your question to include the relevant code. – SilverlightFox May 05 '16 at 19:54