ASP.Net XSS – How does this vulnerability work

I have been tasked with fixing a XSS issue in an ASP.Net application, but I have never seen this kind of attack before so first it would be great if I could understand how this is working and then I need some help because I haven’t been able to fix it.

The attack goes like so:

https://example.com/AnyPageInTheApplication.aspx/(A('onerror='alert%601%60'testabcd))/ 

When I look at the network tab in Chrome’s dev tools I see that the request has been hijacked by the last section of the URL and the alert shows up, but I do not know how this is working. An explanation would be greatly appreciated.

To fix it I first looked at the application web.config file and I saw that the validateRequest switch is disabled so I changed it to true and the vulnerability is still there.

The application is really large and according to some documentation on it, apparently they disabled the validateRequest switch because it is supposed to be handled on the server by some backend code, obviously not working, and I am still to find out what are the reasons for this application to be designed this way (I’m very new to the company).

This issue begs a few questions:

  • Why would enabling the validateRequest switch does not fix the issue?
  • Where else could I look for the potential problem?
  • Is there an alternative to fix this vulnerability other than validateRequest?

Why ASP.Net Identity sends sensitive information to clients?

As far as I understand, Identity sends to the user an encrypted token with some user information like the user name and expiration date. Then, when a new request arrives to the server, it decrypts it and will have available all the user claims and some other information.

My question is, in case there is no need to send the authetication information to other servers (for example if you are authenticating against another web site) would it be more safe not to send as much information to the user? Perhaps we can just send a large code to the user and then match it with an in memory collection or database.

I know that if someone is able to intercept that code she will be able to also make valid requests, but when the “ticket” expires it will not longer be valid for anyone until making the login process again. However, if that code is compromised there won´t be any other information than that.

I hope I am being clear with my question, if not, please let me know it so I can improve it.

Does Asp.Net Core exposes too much information for required enums that were not supplied?

I have a simple code for an input model:

public class MyClass {     [Required]     public MyEnum? Type { get; set; } } 

Now if I do not send Type as a part of json to the request, I get this error from Web.Api:

“The JSON value could not be converted to System.Nullable`1[MyNamespace.MyClass]. Path: $ .type | LineNumber: 2 | BytePositionInLine: 16.”

This really looks like information exposure to me, though I cannot see any real danger in exactly this information, but still, more that nothing.

Is it of any real concern or is it just fine?

How to resolve the Format String Error alert in OWASP ZAP for a web application (ASP.NET C#)?

I have a web application with a log in page. In the log in page, I’ve set maxlength for the username input and the password input, which looks like the code below.

@Html.TextBoxFor(m => m.Username, new { @maxlength="30"}) 

When I run OWASP ZAP, it gives me an alert with the following description.

A Format String error occurs when the submitted data of an input string is evaluated as a command by the application

Potential Format String Error. The script closed the connection on a /%s

But when I remove @maxlength="30", the alert goes away.

I’ve been trying to find the remediation for this alert, but I’ve read that Format String vulnerability doesn’t really exist in C#: Do format string vulnerabilities exist in C# or Java? .

Is it just a “potential” error and nothing to worry about because it’s in C#? Or.. if this is something that needs to be taken care of, what can be done to resolve this alert from OWASP ZAP? (I’d believe removing @maxlength is not a solution).

Hardening ASP.NET against session fixation: Should I change the session ID despite the additional Auth cookie?


Situation

I am the responsible developer for an ASP.NET application that uses the “Membership” (username and password) authentication scheme. I am presented with the following report from a WebInspect scan:

WebInspect has found a session fixation vulnerability on the site. Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID (SID).

Reproduction

I tried to reproduce the typical attack, using the guide on OWASP:

  1. I retrieve the login page. When inspecting the cookies with Google Chrome’s Developer Tools (F12), I get:

    • ASP.NET_SessionId w4bce3a0e5j4fmxj3b0lqkw2
  2. After authentication on the login page, I get an additional

    • .ASPXAUTH F0B9C00FC624E3F2C0CD2EC9E5EF7D10D91A6D62A26BAEE67A38D0608198750A2428E1F5D7278DCE6312C32EE2788D6C79E8112EA35B2397DB84FBB2BE1DBDA815A304B12505D2B786B00038B1EB0BE854DBDAF13072AFEDB3A21E36A7BCD7CD0032A0BCE8E90ECEAFA5FF487D6D2E2C

    • while the session cookie stays the same (as preconditioned for a session fixation attack)

  3. Attack: However, if steal/make up and fix only the ASP.NET_SessionId and inject it into another browser, the request is not authenticated. It is authenticated only after also stealing the .ASPXAUTH cookie, which is only available AFTER login.

Conclusion

I come to the following conclusion:

While the typical precondition for a session fixation attack is met (non-changing session id), an attack will fail because of the missing, required additional .ASPXAUTH cookie, provided only AFTER successful authentication.

Question

So, should I really change the session cookie after login? Will this only satisfy the WebInspect scan or is there a real value here?

Note: I am very likely having the exact scenario as in Session Fixation: A token and an id, but I am not asking whether it is vulnerable, but what I should do with regards to the report.

Footer ubicado solo en la parte inferior de la página sin espacios de alto y ancho en asp.net

Estoy creando una app en ASP.NET y para acomodar el footer abajo se me esta complicando al igual que poner el ancho del 100% de la página, cosa que no se quiere aplicar y se mantiene centrada, por cierto estoy usando libreria de estilos de Bootstrap. Este es el código html / aspx del footer de la página maestra:

<footer class="page-footer font-small bg-dark" style="padding: 0; margin: 0; width: 100%; bottom: 0;">                 <!-- Footer Links -->                 <div class="container-fluid text-center text-md-left">                     <!-- Grid row -->                     <div class="row">                         <!-- Grid column -->                         <div class="col-md-6 mt-md-0 mt-3">                             <!-- Content -->                             <h3 style="color: white;">Acerca de Nosotros</h3>                             <p class="lead" style="color: white;">Texto</p>                             <p style="color: white;">Esta es nuestra ubicación</p>                             <iframe src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d3965.716385745309!2d-75.57092518517804!3d6.300947927458416!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x8e442f25d6670d4d%3A0x8043999e5e767b96!2sSENA%20-%20Centro%20de%20Tecnolog%C3%ADa%20de%20la%20Manufactura%20Avanzada!5e0!3m2!1ses!2sco!4v1570754942399!5m2!1ses!2sco" width="400" height="100" style="border: 0;"></iframe>                         </div>                         <!-- Grid column -->                         <hr class="clearfix w-100 d-md-none pb-3">                         <!-- Grid column -->                         <div class="col-md-3 mb-md-0 mb-3">                             <!-- Links -->                             <p class="lead" style="color: white;">¿Necesitas ayuda?</p>                             <ul class="list-unstyled">                                 <li>                                     <a style="color: white;">Contactenos</a>                                 </li>                             </ul>                         </div>                         <!-- Grid column -->                     </div>                     <!-- Grid row -->                 </div>                 <!-- Copyright -->                 <div class="footer-copyright text-center py-1 blue" style="color: white;">© 2019 Derechos Reservados de Jose Quintero</div>             </footer> 

limitar la edicion de las filas en un gridview en asp.net

tengo el siguiente GridView

 <asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"                                                          DataKeyNames="idActividad" DataSourceID="SqlDataSource66"                                                          EnableModelValidation="True" AllowPaging="True" AllowSorting="True">                                                          <Columns>                                                             <asp:CommandField ShowDeleteButton="True" ShowEditButton="True" />                                                             <asp:BoundField DataField="idActividad" HeaderText="id Actividad"                                                                  InsertVisible="False" ReadOnly="True"  SortExpression="idActividad" />                                                             <asp:BoundField DataField="descripcion" HeaderText="Descripcion" SortExpression="descripcion" ReadOnly="True"/>                                                             <asp:BoundField DataField="cantidad" HeaderText="Cantidad"                                                                  SortExpression="cantidad"/>                                                             <asp:BoundField DataField="fecTerminacion" HeaderText="Fecha Terminación Formato (Mes-Dia-Año)"                                                                  SortExpression="fecTerminacion" DataFormatString="{0:M-dd-yyyy}" ApplyFormatInEditMode="true"                                                                 HtmlEncode="False" HtmlEncodeFormatString="False"/>                                                             <asp:BoundField DataField="nomPrestador" HeaderText="Prestador"                                                                  SortExpression="nomPrestador" ReadOnly="True"/>                                                             <asp:CheckBoxField DataField="blnCumplio" HeaderText="Cumplio Plan"                                                                  SortExpression="blnCumplio" />                                                          </Columns>                                                      </asp:GridView> 

tengo habilitada la opción de actualizar un los campos y me gustaría saber como hacer validaciones para actualizar el campo de fecha porque permite agregar cualquier cosa y no puede hacer después la actualización

¿Como resuelvo problema al abrir Modal de Bootstrap en asp.net?

Estoy desarrollando una aplicación en ASP.NET y he creado un Modal el cual se abre con un botón, el problema es que cada vez que presiono el boton para abrir el Modal, este se abre a la vez que la pagina se tilda obligandome a presionar F5 para refrescar la pagina, le agradezco a quien me ayude a resolverlo.

Este es mi código HTML del Modal:

Título

<!-- Button trigger modal -->             <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#exampleModal">                 Launch demo modal             </button>             <!-- Modal -->             <div class="modal fade" id="exampleModal" tabindex="-1" role="dialog" aria-labelledby="exampleModalLabel" aria-hidden="true">                 <div class="modal-dialog" role="document">                     <div class="modal-content">                         <div class="modal-header">                             <h5 class="modal-title" id="exampleModalLabel">Error al ingresar</h5>                             <button type="button" class="close" data-dismiss="modal" aria-label="Close">                                 <span aria-hidden="true">&times;</span>                             </button>                         </div>                         <div class="modal-body">                             Usuario o contraseña incorrectos                         </div>                         <div class="modal-footer">                             <button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>                             <button type="button" class="btn btn-primary">Save changes</button>                         </div>                     </div>                 </div>             </div>