[Owasp-dotnet] Blog post: ASP.NET MVC – XSS and AutoBind vulns in MVC Example

Sun Sep 28 11:42:06 EDT 2008

Hi there

If you update to Preview 5, you'll find that "BindingHelperExtensions" is
gone, and in its place is a method on the Controller base class called
UpdateModel. All the overloads of this method require the programmer to pass
a list of model properties that are updateable. That's what I meant by the
"explicit list".

Unfortunately since ASP.NET MVC isn't yet released (it's still pre-beta)
there's a shortage of good examples on the net. Even the examples you do
find will mostly relate to older and now deprecated CTP releases (such as
the "Updated Northwind demo" that you used) so aren't especially useful if
you're scouting for potential vulnerabilities. If you wait until RTM,
there'll be a whole stack of books and training resources becoming
available.

To answer the questions in your Word doc:

-    Where is the ViewState?  It looks like they dropped and in this case it
would prevent this from being exploited

Yes, ViewState is gone, because that's an aspect of WebForms server controls
and is no longer relevant in ASP.NET MVC.

-    What about PageValidation?  is that also disabled? (that allows XSS
payloads on the way in)

By PageValidation, do you mean "Request Validation" (i.e., <%@Page
Validate="true" %>)? If so, that's gone too - it was always a bad way of
dealing with XSS, and the ASP.NET MVC team has thankfully demoted it.
Request Validation just confuses developers and leads them to produce
insecure sites - ASP.NET MVC recognizes that the only sensible and robust
way to prevent XSS is to make sure your outputs are HTML-encoded.

Regards
Steve

On Sun, Sep 28, 2008 at 10:43 AM, dinis cruz <dinis.cruz at owasp.org> wrote:

> Hi Steve
>
> Thanks for the answers, do you know where I can find more information about
> this 'explicit list of parameters to update'?
>
> Also what is a good source of ASP.NET MVC examples?
>
> Dinis
>
> 2008/9/28 Steve Sanderson <steven at stevensanderson.co.uk>
>
> Hi Dinis
>>
>> Thanks for your analysis - it's interesting. However there are a couple of
>> points that mitigate the attack vectors you describe:
>>
>> [1] For the "changing arbitrary model properties" vuln ("AutoBind"), as of
>> Preview 5, the programmer is required to specify an explicit list of
>> parameters to update. So this vulnerability does not exist in the latest
>> preview.
>>
>> [2] For the XSS issue, you're absolutely right that user input can be
>> returned unencoded by default, but the advice is always to escape your
>> outputs. So an MVC programmer would never write <%= some user-supplied data
>> %> - we would always write <%= Html.Encode(some user-supplied data) %>
>> instead. That's the official guidance anyway. For more about this, see
>> http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/
>>
>> I'm currently writing a book about ASP.NET MVC and have a chapter on
>> security issues, so if you have any other ideas about potential
>> vulnerabilities I'd be pleased to hear about them.
>>
>> Cheers
>> Steve
>>
>>
>>
>> On Sun, Sep 28, 2008 at 6:52 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>
>>> Hi guys,
>>>
>>> I just blogged about a couple issues I discovered on ASP.NET MVC
>>> (release 4 I think),
>>> http://diniscruz.blogspot.com/2008/09/aspnet-mvc-xss-and-autobind-vulns-in.html
>>>
>>> Am I missing something obvious or is is really how this is supposed to
>>> behave?
>>>
>>> Dinis
>>>
>>> _______________________________________________
>>> Owasp-dotnet mailing list
>>> Owasp-dotnet at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-dotnet/attachments/20080928/31e663bd/attachment-0001.html 