Last post Nov 08, 2019 06:01 PM by mgebhard
Nov 07, 2019 11:46 AM|srinivas_1969|LINK
working on to fix the issue of Cross Side Scripting in asp.net with c# application and team is trying to inject the CSS as
%uff1cscript%uff1ealert%uff08123456%uff09%uff1c/script%uff1e. but I am facing issue to encode the text to html format but its not updating.
please help me how to encode the above input to html and fix the issue
Nov 08, 2019 02:39 AM|Yang Shen|LINK
team is trying to inject the CSS as %uff1cscript%uff1ealert%uff08123456%uff09%uff1c/script%uff1e.
XSS is supposed to protect your website, thus the js written will be encoded to above format.
Can you explain in which scenario you want to inject a js function as above which will make your website very insecure?
And why not use the ScriptManager.RegisterStartupScript Method like below?
ScriptManager.RegisterStartupScript(this,this.GetType(), "aa", "<script>alert(123456)</script>", false);
Nov 08, 2019 06:48 AM|srinivas_1969|LINK
Thanks for your response, but the pen test team would like to inject the script using burp interceptor and the script is inserting at text box control and description boxes.
and I am trying to handle this from the C# server side, but not able to convert the above Unicode entities to html text.
let us know how to resolve this.
thanks in advance
Nov 08, 2019 08:11 AM|Yang Shen|LINK
inject the script using burp interceptor and the script is inserting at text box control and description boxes.
According to your description, you will input <script>alert(123456)</script> into this textbox and the
burp interceptor will encode this to %uff1cscript%uff1ealert%uff08123456%uff09%uff1c/script%uff1e?
I built this demo here with c# and
HttpUtility.UrlDecode( since we don't know how you encode the script) to decode it.
And this string can be decoded but not int the right way, you can refer to below demo:
protected void btn2_Click(object sender, EventArgs e)
string a = "%uff1cscript%uff1ealert%uff08123456%uff09%uff1c/script%uff1e";
a = HttpUtility.UrlDecode(a);
txt1.Value = a;
string b = "<script>alert(123456)</script>";
b = HttpUtility.UrlEncode(b);
txt2.Value = b;
Below is the result:
As you can see from above img, the %uff1c will be encoded to ＜ which can't be recongnized as html code(<) and
< will be encoded to%3c.
I think HttpUtility.UrlDecode is not what you want but meybe you can try use HttpUtility.UrlEncode to encode your script which will make it easier
Nov 08, 2019 11:18 AM|srinivas_1969|LINK
Hi Yang Shen,
Thank you again, and I would like to explain actually what we doing
there is a one control on the aspx form which will be used collect some data and the end user will enter the normal text only in one text box . e.g., test by Srinivas
but to validate the application security we using the burp interceptor and once the above text entered in text box and saved then the data will come in burp interceptor
there we will replace the text "test by Srinivas" with the
%uff1cscript%uff1ealert%uff08123456%uff09%uff1c/script%uff1e then its saving in the DB
when we open the same data for the view then the script is executing showing alert. but when we doing validation the how to encode the "%uff1cscript%uff1ealert%uff08123456%
uff09%uff1c/script%uff1e" to html I am not finding any methods in C# to encode because its Unicode.
Thanks in advance
Nov 08, 2019 12:07 PM|mgebhard|LINK
What is you question?
I'm guessing that you are serializing a string on the server which is causing the escaped characters. Is there any way you can share code that reproduces this issue?
Nov 08, 2019 05:47 PM|srinivas_1969|LINK
Thank you for your reply, I am encoding the text box value once the buttonsave_click and once the process is started the data is coming in burp suite tool and at the backend they modifying the text and replacing with the script and would like to handle
that in the back end in server side pleae let me know how to encode handle it
Nov 08, 2019 06:01 PM|mgebhard|LINK
I am encoding the text box value once the buttonsave_click
Yang Shan provided a clear example of HTML encoding and decoding. If HTML encode and decode is not what you are looking for then share code that reproduces this issue rather than making the community guess what problem you are trying to solve. Are you receiving
an error in the burp tool that recommends encoding text input? Have you tried burp support?