[CLOSED] XSS on store initialization

[Leonid_Veriga]

Hello. Please review the following example:

<%@ Page Language="C#" %>

<!DOCTYPE html>

<html>
<head runat="server">
</head>
<body>
    <form runat="server">
        <ext:ResourceManager runat="server" />
        
        <ext:GridPanel ID="grid" runat="server" Height="400" Width="300">
            <Store>
                <ext:Store ID="store" runat="server">
                    <Model>
                        <ext:Model runat="server" IDProperty="Id">
                            <Fields>
                                <ext:ModelField Name="Id" />
                                <ext:ModelField Name="Name" />
                            </Fields>
                        </ext:Model>
                    </Model>
                </ext:Store>
            </Store>
            <ColumnModel>
                <Columns>
                    <ext:Column Text="XSS" DataIndex="Name" />
                </Columns>
            </ColumnModel>
        </ext:GridPanel>
    </form>
</body>
</html>

Server-side code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace ExtJSTesApplication
{
    public partial class XSSTest : System.Web.UI.Page
    {

        private class Entity
        {
            public int Id { get; set; }
            public string Name { get; set; }
        }

        private readonly string str = "test XSS </script><script>alert('XSS')</script>";

        protected void Page_Load(object sender, EventArgs e)
        {
            //store.Filter("Name", str);

            // Case a)
            store.DataSource = GetData(1);
            store.DataBind();

            // Case b)
            //store.Filters.Add(new Ext.Net.DataFilter.Config()
            //{
            //    Property= "Name",
            //    Value = str
            //});
        }

        private List<Entity> GetData(int n)
        {
            var res = new List<Entity>(n);
            for (var i = 0; i < n; i++)
            {
                res.Add(new Entity
                {
                    Id = i,
                    Name = str
                });
            }

            return res;
        }
    }
}

When I run this page, I see an alert. The following script is generated by Ext.Net:

    <script type="text/javascript">
    //<![CDATA[
        Ext.net.ResourceMgr.init({"id":"ResourceManager1","aspForm":"Form1"});Ext.onReady(function(){Ext.create("Ext.grid.Panel",{"store":{"model":Ext.define("App.Model1", {extend: "Ext.data.Model", "fields":[{"name":"Id"},{"name":"Name"}],"idProperty":"Id" }),"storeId":"store","autoLoad":true,
"proxy":{
data:[{"Id":0,"Name":"test XSS </script><script>alert('XSS')</script>"}],
type: 'memory'
}},"id":"grid","height":400,"renderTo":"App.grid_Container","width":300,"columns":{"items":[{"dataIndex":"Name","text":"XSS"}]}});});
    //]]>
    </script>

As you can notice in line

data:[{"Id":0,"Name":"test XSS </script><script>alert('XSS')</script>"}]

string is not encoded, that makes page vulnerable to XSS attacks.

Could you please suggest how could I set data or store filter to not allow XSS attacks?

Best regards.

[Vladimir]

I don't agree that it is XSS vulnerability because we should not check data from the server (only from the client)

For example, see the following sample, i has the same effect

<%@ Page Language="C#" AutoEventWireup="true" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Test</title>


    <script runat="server">
        public string Message
        {
            get
            {
                return "test XSS </scr" + "ipt><script>alert('XSS')</scr" + "ipt>";
            }
        }
    </script>
    
    <script type="text/javascript">
        function doSomething(msg) {


        }


        doSomething("<%= Message %>");
    </script>
</head>
<body>
    <form id="form1" runat="server">        
    </form>
</body>

We always check generated script to replace "</script>" string const by "<\\/script>" to ensure that thye script will not break the page. But we missed store data in that checking. It will be fixed today.

Also, if you want to see full text in the grid then use '<Renderer Format="HtmlEncode" />' for the column

[Leonid_Veriga]

Also, if you want to see full text in the grid then use '<Renderer Format="HtmlEncode" />' for the column

Yes, this is known solution for me, but the original issue is that page is not rendered as </script> is not encoded, and generated script breaks the page.

Also please pay attantion that is you uncomment code (case b)) and comment case a) the same issue would have place

            // Case b)
            //store.Filters.Add(new Ext.Net.DataFilter.Config()
            //{
            //    Property= "Name",
            //    Value = str
            //});

[Leonid_Veriga]

One more question. Will it be a complex fix? I asked that, because on production we use specific version of the Ext.Net and we have not an opportunity to significantly change existing libraries.

[Vladimir]

One more question. Will it be a complex fix? I asked that, because on production we use specific version of the Ext.Net and we have not an opportunity to significantly change existing libraries.

Well, it is required to change few properties

Core/BaseControl/BaseControl.cs

public virtual string InitialConfig
        {
            get
            {
                if (this is Observable)
                {
                    string script = ((this.DesignMode) ? "" : new ClientConfig().Serialize(this)) ?? "";
                    return script.Replace("</script>", "<\\/script>");
                }


                return "";
            }
        }

Ext/Data/StoreBase.cs

protected virtual string DataProxy
        {
            get
            {
                if (this.Data == null)
                {
                    return null;
                }


                string key = Guid.NewGuid().ToString();
                string data = JSON.Serialize(this.Data).Replace("</script>", "<\\/script>");
                HttpContext.Current.Items.Add(key, data);


                return ExtNetTransformer.GetDataTag(key);
            }
        }

Ext/Data/SyncStoreBase.cs

protected virtual string MemoryProxy
        {
            get
            {
                if (!this.IsProxyDefined)
                {
                    string reader = this.Reader.Primary != null ? (", reader:" + new ClientConfig().Serialize(this.Reader.Primary)) : "";
                    string writer = this.Writer.Primary != null ? (", writer:" + new ClientConfig().Serialize(this.Writer.Primary)) : "";


                    if (this.Data != null)
                    {
                        return string.Format("{{type: '{0}'{1}{2}}}", this.IsPagingStore || this.Buffered ? "pagingmemory" : "memory", reader, writer);
                    }


                    if (this.MemoryDataPresent)
                    {
                        string template = "{{data:{0}, type: '{1}'{2}{3}}}";
                        string data = (this.DSData != null ? JSON.Serialize(this.DSData) : this.JsonData) ?? "";
                        data = data.Replace("</script>", "<\\/script>");
                        string key = Guid.NewGuid().ToString();
                        HttpContext.Current.Items.Add(key, data);
                        return string.Format(template, ExtNetTransformer.GetDataTag(key), this.IsPagingStore || this.Buffered ? "pagingmemory" : "memory", reader, writer);
                    }


                    return string.Format("{{type:'{0}'{1}{2}}}", this.IsPagingStore || this.Buffered ? "pagingmemory" : "memory", reader, writer);
                }


                return "";
            }
        }

[Leonid_Veriga]

Vladimir, could you please provide a number of the revision, in which this issue was fixed?

[Daniil]

Revision #5684

The related files are:

• Core/BaseControl/BaseControl.cs
• Ext/Data/StoreBase.cs
• Ext/Data/SyncStoreBase.cs

[Leonid_Veriga]

Thank you.

[Leonid_Veriga]

Hello.

There is the same issue if we enter the same string and capitalize some letters. Moreover, this issue has place not only for stores, but for AddScript method as well.

X.AddScript("window.test_vb_string = '</Script><Script>alert(1);</Script>';");

[Vladimir]

I cannot reproduce the issue
Can you provide runnable test case?

Here is my test case

<%@ Page Language="C#" %>


<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>


<!DOCTYPE html>


<script runat="server">    
    protected void Unnamed_DirectClick(object sender, DirectEventArgs e)
    {
        X.AddScript("window.test_vb_string = '</Sc"+"ript><Scr"+"ipt>alert(1);</Scr"+"ipt>';");
    }
</script>


<html>
<head runat="server">
    <title></title>
</head>
<body>
    <form runat="server">
        <ext:ResourceManager ID="ResourceManager1" runat="server" />


        <ext:Button runat="server" Text="Click" OnDirectClick="Unnamed_DirectClick"></ext:Button>
    </form>
</body>
</html>