[Owasp-dotnet] Blog post: ASP.NET MVC – XSS and AutoBind vulns in MVC Example

dinis cruz dinis.cruz at owasp.org
Sun Sep 28 18:30:59 EDT 2008 

Thanks,

Questiion, In P5 is it still possible to perform autobinding of form fields
into complete objects?

The example in this post (http://forums.asp.net/t/1312966.aspx) seems to
imply that:*

*

*BindingHelperExtensions.UpdateFrom(mymodel, Request.Form);*

*with*

*UpdateModel(mymodel, Request.Form.AllKeys); *
Also from your comments, it seems that P5 is backward compatibles (since (it
sounds like) the insecure examples still work there).

Do you know if RTM will change this?

Note that if the backward compatible default behavior is allowed, I can see
a lot of people using it (since it is very convenient)

Dinis

2008/9/28 Steve Sanderson <steven at stevensanderson.com>

> Hi there
>
> If you update to Preview 5, you'll find that "BindingHelperExtensions" is
> gone, and in its place is a method on the Controller base class called
> UpdateModel. All the overloads of this method require the programmer to pass
> a list of model properties that are updateable. That's what I meant by the
> "explicit list".
>
> Unfortunately since ASP.NET MVC isn't yet released (it's still pre-beta)
> there's a shortage of good examples on the net. Even the examples you do
> find will mostly relate to older and now deprecated CTP releases (such as
> the "Updated Northwind demo" that you used) so aren't especially useful if
> you're scouting for potential vulnerabilities. If you wait until RTM,
> there'll be a whole stack of books and training resources becoming
> available.
>
> To answer the questions in your Word doc:
>
> -    Where is the ViewState?  It looks like they dropped and in this case
> it would prevent this from being exploited
>
> Yes, ViewState is gone, because that's an aspect of WebForms server
> controls and is no longer relevant in ASP.NET MVC.
>
> -    What about PageValidation?  is that also disabled? (that allows XSS
> payloads on the way in)
>
> By PageValidation, do you mean "Request Validation" (i.e., <%@Page
> Validate="true" %>)? If so, that's gone too - it was always a bad way of
> dealing with XSS, and the ASP.NET MVC team has thankfully demoted it.
> Request Validation just confuses developers and leads them to produce
> insecure sites - ASP.NET MVC recognizes that the only sensible and robust
> way to prevent XSS is to make sure your outputs are HTML-encoded.
>
> Regards
> Steve
>
>
>
>
>
>
> On Sun, Sep 28, 2008 at 10:43 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> Hi Steve
>>
>> Thanks for the answers, do you know where I can find more information
>> about this 'explicit list of parameters to update'?
>>
>> Also what is a good source of ASP.NET MVC examples?
>>
>> Dinis
>>
>> 2008/9/28 Steve Sanderson <steven at stevensanderson.co.uk>
>>
>> Hi Dinis
>>>
>>> Thanks for your analysis - it's interesting. However there are a couple
>>> of points that mitigate the attack vectors you describe:
>>>
>>> [1] For the "changing arbitrary model properties" vuln ("AutoBind"), as
>>> of Preview 5, the programmer is required to specify an explicit list of
>>> parameters to update. So this vulnerability does not exist in the latest
>>> preview.
>>>
>>> [2] For the XSS issue, you're absolutely right that user input can be
>>> returned unencoded by default, but the advice is always to escape your
>>> outputs. So an MVC programmer would never write <%= some user-supplied data
>>> %> - we would always write <%= Html.Encode(some user-supplied data) %>
>>> instead. That's the official guidance anyway. For more about this, see
>>> http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/
>>>
>>> I'm currently writing a book about ASP.NET MVC and have a chapter on
>>> security issues, so if you have any other ideas about potential
>>> vulnerabilities I'd be pleased to hear about them.
>>>
>>> Cheers
>>> Steve
>>>
>>>
>>>
>>> On Sun, Sep 28, 2008 at 6:52 AM, dinis cruz <dinis.cruz at owasp.org>wrote:
>>>
>>>> Hi guys,
>>>>
>>>> I just blogged about a couple issues I discovered on ASP.NET MVC
>>>> (release 4 I think),
>>>> http://diniscruz.blogspot.com/2008/09/aspnet-mvc-xss-and-autobind-vulns-in.html
>>>>
>>>> Am I missing something obvious or is is really how this is supposed to
>>>> behave?
>>>>
>>>> Dinis
>>>>
>>>> _______________________________________________
>>>> Owasp-dotnet mailing list
>>>> Owasp-dotnet at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-dotnet/attachments/20080928/2b9acb6c/attachment.html

More information about the Owasp-dotnet mailing list