Last post Mar 13, 2019 01:14 PM by AddWeb Solution
Oct 18, 2018 04:07 PM|sn002|LINK
There is a software called Fortify that scans my web code pages and that the code below vulnerable for Cross-Site Scripting: Persistent. I am not sure how to go about fixing it. Any ideas? Thanks.
public void GetStates()
DataSet DS = new DataSet();
string strQuery = "Select * from tbl_State where StateName <> '' order by StateName";
SqlConnection oConn = new SqlConnection(ConnStr);
SqlDataAdapter DA = new SqlDataAdapter(strQuery, oConn);
DA.Fill(DS); //Line 85 - Cross-Site Scripting: Persistent
State.Items.Add(new ListItem("Select a State", ""));
foreach (DataRow DR in DS.Tables.Rows)
State.Items.Add(new ListItem(DR["State"].ToString(), DR["StateID"].ToString())); //Line 90 - Cross-Site Scripting: Persistent
Oct 18, 2018 05:50 PM|mgebhard|LINK
Try reading the Fortify support documentation as the app might not like the "SELECT *". Usually the error messages come with examples of how to fix vulnerability issues.
Anyway, I recommend that you post this question on Fortify's support forum as this is not an ASP.NET question.
Mar 13, 2019 01:14 PM|AddWeb Solution|LINK
HTML Encode Binding Shortcut
<td><%#: Item.Address %></td>
HTML Encode Render Shortcut
<td><%: Item.Address %></td>
The above code is not vulnerable to XSS because the dynamic Address property is being HTML encoded before being written to a HTML context. In ASP .NET 4.5, the HTML encode binding shortcut (<%#:) was introduced to allow developers to HTML encode dynamic
values being bound in the HTML markup. Additionally, in ASP .NET 4.0 the HTML encode render shortcut (<%:) also added to allow developers to automatically HTML encoded content being rendered directly to the page.
<td><%# Item.Address %></td>
<td><%= Item.Address %></td>
The above code is vulnerable because the dynamic Address property is written to the browser without HTML encoding. If an attacker had the ability to edit the address field, then a malicious value, such as alert(document.cookie);, could be entered to inject
content into the page.
Refer this link for deep understanding