[Owasp-dotnet] Blog post: ASP.NET MVC – XSS and AutoBind vulns in MVC Example
Steve Sanderson
steven at stevensanderson.com
Sun Sep 28 04:22:53 EDT 2008
Hi Dinis
Thanks for your analysis - it's interesting. However there are a couple of
points that mitigate the attack vectors you describe:
[1] For the "changing arbitrary model properties" vuln ("AutoBind"), as of
Preview 5, the programmer is required to specify an explicit list of
parameters to update. So this vulnerability does not exist in the latest
preview.
[2] For the XSS issue, you're absolutely right that user input can be
returned unencoded by default, but the advice is always to escape your
outputs. So an MVC programmer would never write <%= some user-supplied data
%> - we would always write <%= Html.Encode(some user-supplied data) %>
instead. That's the official guidance anyway. For more about this, see
http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/
I'm currently writing a book about ASP.NET <http://asp.net/> MVC and have a
chapter on security issues, so if you have any other ideas about potential
vulnerabilities I'd be pleased to hear about them.
Cheers
Steve
On Sun, Sep 28, 2008 at 6:52 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> Hi guys,
>
> I just blogged about a couple issues I discovered on ASP.NET MVC (release
> 4 I think),
> http://diniscruz.blogspot.com/2008/09/aspnet-mvc-xss-and-autobind-vulns-in.html
>
> Am I missing something obvious or is is really how this is supposed to
> behave?
>
> Dinis
>
> _______________________________________________
> Owasp-dotnet mailing list
> Owasp-dotnet at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-dotnet/attachments/20080928/39ca54a5/attachment.html
More information about the Owasp-dotnet
mailing list