Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

joseftw/ProblematicProblemDetails

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commits

src

src

 
 

.gitignore

.gitignore

 
 

ProblematicProblemDetails.sln

ProblematicProblemDetails.sln

 
 

README.md

README.md

 
 

Repository files navigation

Introduction

When using ProblemDetails, the default behaviour when an validation error occures is to return an response that shows what went wrong.

Given the following action method:

public IEnumerable<WeatherForecast> Get([FromQuery]DateTime date)
{
	return Enumerable.Range(1, 5).Select(index => new WeatherForecast
	{
		Date = DateTime.Now.AddDays(index),
		TemperatureC = Random.Shared.Next(-20, 55),
		Summary = Summaries[Random.Shared.Next(Summaries.Length)]
	})
	.ToArray();
}

When executing the following request:

GET /WeatherForecast?date=josef

The following response will be returned.

{
	"type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
	"title": "One or more validation errors occurred.",
	"status": 400,
	"traceId": "00-a6671681df84f418db994be30c3e2689-ea61fab32a4d3917-00",
	"errors": {
		"date": ["The value 'josef' is not valid."]
	}
}

Now. Imagine that our client code that handles the response just prints out the error, something like this:

function jqueryExploit(){
  var dateValue = $('#date-input').val();
  var url = "https://localhost:7135/WeatherForecast?date=" + dateValue;
$( "#success" ).load( url, function( response, status, xhr ) {
  if ( status == "error" ) {
    var problemDetails = JSON.parse(response);
    var dateError = problemDetails.errors.date;
    $( "#errors" ).html("<h1>Errors occured</h1>"+dateError );
  }
});

}

Now imagine that the input entered in the input field was something like 2021-10-28<script>alert('you%20have%20been%20hacked')</script>... It would trigger an alert.

Reproduce

  1. Start the web application on port 7135 (https). dotnet run in the WebApplication2 folder.
  2. Open the attached index.html in a browser
  3. For jquery, paste in 2021-10-28<script>alert('you%20have%20been%20hacked')</script> in the text input and press "jQuery exploit"
  4. For "vanilla", paste in 2021-10-28 <a href='javascript:alert("you have been hacked");'> Click to fix problem</a> and press on "Vanilla...".

Question

Should the framework be responsible for escaping the user input instead of just blindly return it back in the problem details response?

More information

https://josef.codes/beware-of-potential-xss-injections-when-using-problemdetails-in-asp-net-core/

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

3 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages