[CLOSED] Question about request validation

[smart+]

Hello,

I have question about request validation:

In my login form I have login button with following code:

 
<ext:Button ID="Button1" runat="server" Text="Login" Icon="Accept" Type="Submit">
<DirectEvents>
<Click 
OnEvent="CheckLogin_Click" 
Before="var valid=#{txtUsername}.isValid(); if(valid){valid=#{txtPassword}.isValid();} if (!valid) {#{Label1}.setIconClass('ierror'); #{Label1}.setText('User name or password are missing!');} return valid;"
Failure="#{Label1}.setIconClass('ierror'); #{Label1}.setText(result.errorMessage); return false;">
<EventMask ShowMask="true" Msg="Checking..." MinDelay="250" />
</Click>
</DirectEvents>
</ext:Button>

Inside "CheckLogin_Click" event in codebehind I use following code for reading input fields

 
string uid = HttpUtility.HtmlEncode(txtUsername.Text.Trim());
string pwd = HttpUtility.HtmlEncode(txtPassword.Text.Trim());

When I write some xss code like "<script" in input fields I get following message on page:

"
A potentially dangerous Request.Form value was detected from the client
Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
"

My question is:
1) Does exist other way for checking xss validation on client side or is only solution to disable request validation on login page and
write custom validation inside server side code?

Please, provide some example if you have.

Best regards,
Sasa

[Daniil]

Hello!

I would suggest you to use the Validator property and the powerful of regular expressions.

Example

<%@ Page Language="C#" %>

<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Ext.Net Example</title>

    <script type="text/javascript">
        var myValidator = function(value) {
            var re = /(?:<script([^>]*)?>)((\n|\r|.)*?)(?:<\/script>)/ig,
                attrs, script;
            while ((match = re.exec(value))) {
                attrs = match[1];   //src attribute, for example
                script = match[2];
            }
            if (!Ext.isEmpty(attrs) || !Ext.isEmpty(script)) {
                return false;
            }
        }
    </script>

</head>
<body>
    <form runat="server">
    <ext:ResourceManager runat="server" />
    <ext:TextField ID="TextField1" runat="server" Validator="myValidator" />
    <ext:Button runat="server" Text="Is it valid?">
        <Listeners>
            <Click Handler="alert(#{TextField1}.isValid())" />
        </Listeners>
    </ext:Button>
    </form>
</body>
</html>

[smart+]

Hello!

I would suggest you to use the Validator property and the powerful of regular expressions.

Example

<%@ Page Language="C#" %>
 
<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Ext.Net Example</title>
 
    <script type="text/javascript">
        var myValidator = function(value) {
            var re = /(?:<script([^>]*)?>)((\n|\r|.)*?)(?:<\/script>)/ig,
                attrs, script;
            while ((match = re.exec(value))) {
                attrs = match[1];   //src attribute, for example
                script = match[2];
            }
            if (!Ext.isEmpty(attrs) || !Ext.isEmpty(script)) {
                return false;
            }
        }
    </script>
 
</head>
<body>
    <form runat="server">
    <ext:ResourceManager runat="server" />
    <ext:TextField ID="TextField1" runat="server" Validator="myValidator" />
    <ext:Button runat="server" Text="Is it valid?">
        <Listeners>
            <Click Handler="alert(#{TextField1}.isValid())" />
        </Listeners>
    </ext:Button>
    </form>
</body>
</html>

Hello Daniil,

thank you for your suggestion, but this not work in my case.
I put this script between head tag in page and set Validator tag on all TextField control with your function.
After that not work Blank validation and I still get above validation error.

Below is my code which I use for login form:

 
<ext:Window 
ID="Window1" 
runat="server" 
Closable="false"
Resizable="false"
Height="150" 
Icon="Lock" 
Title="Login..."
Draggable="false"
Width="380"
Modal="false"
BodyStyle="padding:5px;" Layout="Form">
<Defaults>
<ext:Parameter Name="Anchor" Value="100%" />
<ext:Parameter Name="AllowBlank" Value="false" Mode="Raw" />
</Defaults>
<Content>
<ext:TextField 
ID="txtUsername" 
runat="server" 
FieldLabel="Korisnik"
BlankText="Username is missing!"
Text="" />
<ext:TextField 
ID="txtPassword" 
runat="server" 
InputType="Password" 
FieldLabel="Password" 
BlankText="Password is missing!"
Text="" />
<ext:Label ID="Label1" runat="server" HideLabel="true" Text="" StyleSpec="color: #E80000" />
</Content>
<Buttons>
<ext:Button ID="Button1" runat="server" Text="Prijava" Icon="Accept" Type="Submit">
<DirectEvents>
<Click 
OnEvent="CheckLogin_Click" 
Before="var valid=#{txtUsername}.isValid(); if(valid){valid=#{txtPassword}.isValid();} if (!valid) {#{Label1}.setIconClass('ierror'); #{Label1}.setText('Username or password is missing!');} return valid;"
Failure="#{Label1}.setIconClass('ierror'); #{Label1}.setText(result.errorMessage); return false;">
<EventMask ShowMask="true" Msg="Checking..." MinDelay="250" />
</Click>
</DirectEvents>
</ext:Button>
</Buttons>
</ext:Window>

What I make wrong?

[Daniil]

Hello again!

To get the allowBlank working please replace the previous myValidator function with

Example

var myValidator = function(value) {
    var re = /(?:<script([^>]*)?>)((\n|\r|.)*?)(?:<\/script>)/ig,
        attrs, script;
    while ((match = re.exec(value))) {
        attrs = match[1];   //src attribute, for example
        script = match[2];
    }
    if (!Ext.isEmpty(attrs) || !Ext.isEmpty(script)) {
        return "XSS!";
    }
    return true;
}

I still get above validation error

Please clarify what exactly data do you want to avoid?
The myValidator function prevents the following things:

Example

<script scr="someSrc.js"></script>

or

<script>some script</script>

[smart+]

Hello again!

To get the allowBlank working please replace the previous myValidator function with

Example

var myValidator = function(value) {
    var re = /(?:<script([^>]*)?>)((\n|\r|.)*?)(?:<\/script>)/ig,
        attrs, script;
    while ((match = re.exec(value))) {
        attrs = match[1];   //src attribute, for example
        script = match[2];
    }
    if (!Ext.isEmpty(attrs) || !Ext.isEmpty(script)) {
        return "XSS!";
    }
    return true;
}

Please clarify what exactly data do you want to avoid?
The myValidator function prevents the following things:

Example

<script scr="someSrc.js"></script>

or

<script>some script</script>

Now your function work perfectly including both examples and with AllowBlank tag, but when I write this code:

 
<script

in both input field I get above validator error.

[Daniil]

Hello!

Hmm...I tried to type "<script" in the one of TextFields and there was no validation error. Please look at the attached screen-shot.

Also please note that you could replace this code

var valid=#{txtUsername}.isValid(); if(valid){valid=#{txtPassword}.isValid();}

with this

var valid = (#{txtUsername}.isValid() && #{txtPassword}.isValid());

Just note.

[smart+]

Hello!

Hmm...I tried to type "<script" in the one of TextFields and there was no validation error. Please look at the attached screen-shot.

Also please note that you could replace this code

var valid=#{txtUsername}.isValid(); if(valid){valid=#{txtPassword}.isValid();}

with this

var valid = (#{txtUsername}.isValid() && #{txtPassword}.isValid());

Just note.

Very strange. I attached my screenshot.

Same thing happen if I write

<script>

code in input field.
I have latest update from SVN.
Can you post your code for this window with your changes?

[Daniil]

Sure!

I just minimized the code removing unnecessary things but still keeping the result.

Example

<%@ Page Language="C#" %>

<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>

<script runat="server">
    protected void CheckLogin_Click(object sender, DirectEventArgs e)
    {

    }
</script>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Ext.Net Example</title>

    <script type="text/javascript">
        var myValidator = function(value) {
            var re = /(?:<script([^>]*)?>)((\n|\r|.)*?)(?:<\/script>)/ig,
                attrs, script;
            while ((match = re.exec(value))) {
                attrs = match[1];   //src attribute, for example
                script = match[2];
            }
            if (!Ext.isEmpty(attrs) || !Ext.isEmpty(script)) {
                return "XSS!";
            }
            return true;
        }
    </script>

</head>
<body>
    <form runat="server">
    <ext:ResourceManager runat="server" />
    <ext:Window 
        runat="server" 
        Height="150" 
        Width="380" 
        Layout="Form">
        <Defaults>
            <ext:Parameter Name="AllowBlank" Value="false" Mode="Raw" />
        </Defaults>
        <Content>
            <ext:TextField 
                ID="txtUsername" 
                runat="server" 
                FieldLabel="Username" 
                BlankText="Username is missing!" 
                Validator="myValidator" />
            <ext:TextField 
                ID="txtPassword" 
                runat="server" 
                InputType="Password" 
                FieldLabel="Password"
                BlankText="Password is missing!" 
                Validator="myValidator" />
            <ext:Label ID="Label1" runat="server" StyleSpec="color: #E80000" />
        </Content>
        <Buttons>
            <ext:Button ID="Button1" runat="server" Text="Login">
                <DirectEvents>
                    <Click 
                        OnEvent="CheckLogin_Click" 
                        Before="var valid = (#{txtUsername}.isValid() && #{txtPassword}.isValid()); 
                                if (!valid) {#{Label1}.setIconClass('ierror'); 
                                #{Label1}.setText('Username or password is missing!');} 
                                return valid;" />
                </DirectEvents>
            </ext:Button>
        </Buttons>
    </ext:Window>
    </form>
</body>
</html>

Please try that and notice us about a result.

[smart+]

Sure!

I just minimized the code removing unnecessary things but still keeping the result.

Example

<%@ Page Language="C#" %>
 
<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>
 
<script runat="server">
    protected void CheckLogin_Click(object sender, DirectEventArgs e)
    {
 
    }
</script>
 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Ext.Net Example</title>
 
    <script type="text/javascript">
        var myValidator = function(value) {
            var re = /(?:<script([^>]*)?>)((\n|\r|.)*?)(?:<\/script>)/ig,
                attrs, script;
            while ((match = re.exec(value))) {
                attrs = match[1];   //src attribute, for example
                script = match[2];
            }
            if (!Ext.isEmpty(attrs) || !Ext.isEmpty(script)) {
                return "XSS!";
            }
            return true;
        }
    </script>
 
</head>
<body>
    <form runat="server">
    <ext:ResourceManager runat="server" />
    <ext:Window 
        runat="server" 
        Height="150" 
        Width="380" 
        Layout="Form">
        <Defaults>
            <ext:Parameter Name="AllowBlank" Value="false" Mode="Raw" />
        </Defaults>
        <Content>
            <ext:TextField 
                ID="txtUsername" 
                runat="server" 
                FieldLabel="Username" 
                BlankText="Username is missing!" 
                Validator="myValidator" />
            <ext:TextField 
                ID="txtPassword" 
                runat="server" 
                InputType="Password" 
                FieldLabel="Password"
                BlankText="Password is missing!" 
                Validator="myValidator" />
            <ext:Label ID="Label1" runat="server" StyleSpec="color: #E80000" />
        </Content>
        <Buttons>
            <ext:Button ID="Button1" runat="server" Text="Login">
                <DirectEvents>
                    <Click 
                        OnEvent="CheckLogin_Click" 
                        Before="var valid = (#{txtUsername}.isValid() && #{txtPassword}.isValid()); 
                                if (!valid) {#{Label1}.setIconClass('ierror'); 
                                #{Label1}.setText('Username or password is missing!');} 
                                return valid;" />
                </DirectEvents>
            </ext:Button>
        </Buttons>
    </ext:Window>
    </form>
</body>
</html>

Please try that and notice us about a result.

Very, very strange.
I copy/paste your code and same thing.

I have deadline and because that I modified you code in this which works for my case, but I don't understand why your this not work :

<scripttype="text/javascript">
var myValidator = function(value) {
var re = /(?:<script([^>]*)?>)((\n|\r|.)*?)(?:<\/script>)/ig,
attrs, script;
while ((match = re.exec(value.trim()))) {
attrs = match[1]; //src attribute, for example
script = match[2];
}
if (!Ext.isEmpty(attrs) || !Ext.isEmpty(script)) {
return"XSS !";
}
var ctest = value.trim().toLowerCase();
if (ctest.indexOf("<script") != -1 || ctest.indexOf("<script>") != -1 || ctest.indexOf("/script>") != -1)
return"XSS !";
returntrue;
}
</script>

I have Windows 7 OS with installed IE 8.0.7600.16385 and Firefox version 3.6.3 browsers.
In both browsers is same problem.

Both regards,
Sasa

[Vladimir]

Hi,

Yes, I agreed with Sasa that Daniil regex doesn't catch "<script" value.
Unfortunatelly, catching script tags is not enough to detect XSS. There are houndreds XSS ways, for example, attacker can inject the following markup to execute a script

<IMG SRC="javascript:alert('XSS');">

It is not at all possible to sanitise HTML using a simple regex. The only approach (and even then it's not trivial) is to properly parse the HTML, throwing out all malformed sequences and element/attribute names except for a few known-safe ones.

Please investigate the following links
http://ha.ckers.org/xss.html
http://www.owasp.org/index.php/XSS_(...on_Cheat_Sheet

You can disable such '<>&' chars in the input to prevent XSS (may be it is not universal but catch many XSS methods)

var myValidator = function(value) {
            var re = /[<>&]/ig,
                attrs, script;
            if(re.test(value)){
                return "XSS!";
            }
            return true;
        }