[Owasp-dotnet] Blog post: ASP.NET MVC – XSS and AutoBind vulns in MVC Example
dinis cruz
dinis.cruz at owasp.org
Sun Sep 28 05:43:56 EDT 2008
Hi Steve
Thanks for the answers, do you know where I can find more information about
this 'explicit list of parameters to update'?
Also what is a good source of ASP.NET MVC examples?
Dinis
2008/9/28 Steve Sanderson <steven at stevensanderson.co.uk>
> Hi Dinis
>
> Thanks for your analysis - it's interesting. However there are a couple of
> points that mitigate the attack vectors you describe:
>
> [1] For the "changing arbitrary model properties" vuln ("AutoBind"), as of
> Preview 5, the programmer is required to specify an explicit list of
> parameters to update. So this vulnerability does not exist in the latest
> preview.
>
> [2] For the XSS issue, you're absolutely right that user input can be
> returned unencoded by default, but the advice is always to escape your
> outputs. So an MVC programmer would never write <%= some user-supplied data
> %> - we would always write <%= Html.Encode(some user-supplied data) %>
> instead. That's the official guidance anyway. For more about this, see
> http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/
>
> I'm currently writing a book about ASP.NET MVC and have a chapter on
> security issues, so if you have any other ideas about potential
> vulnerabilities I'd be pleased to hear about them.
>
> Cheers
> Steve
>
>
>
> On Sun, Sep 28, 2008 at 6:52 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> Hi guys,
>>
>> I just blogged about a couple issues I discovered on ASP.NET MVC (release
>> 4 I think),
>> http://diniscruz.blogspot.com/2008/09/aspnet-mvc-xss-and-autobind-vulns-in.html
>>
>> Am I missing something obvious or is is really how this is supposed to
>> behave?
>>
>> Dinis
>>
>> _______________________________________________
>> Owasp-dotnet mailing list
>> Owasp-dotnet at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-dotnet/attachments/20080928/28506020/attachment.html
More information about the Owasp-dotnet
mailing list