Rank 1
Hi guys,
I am working on issues reported by rapid 7.
Following error is reported by Rapid 7:
ctl00_ctl00_BaseContent_ContentPlaceHolder1_rgdDispatches_ClientState=%27%3E%3Cscript%3Ealert(4272772)%3C%2Fscript%3E
Actually the attacK is injecting <script>alert("4272772")</script> tag inside the ClientState.
Is there any way to prevent this attack on almost all Telerik Ajax Controls, Specially telerik:radgrid and telerik:RadComboBox ON SERVER SIDE CODE?
Is there any way to use encryption or some way the validate and Fix the client state of a control on Server Side?
1 Answer, 1 is accepted
Hi Attiq,
The _ClientState field, our controls have, is something standard for an IScriptControl instance. As with any other input, a malicious user can generate a POST with invalid data in it that will trigger server errors but there is no debugging information stored in the ClientState field.
I can assure you the ClientState data is used only to set control properties (much like the ViewState data, but it is used to store information for the client, not the server). If the information in it is modified, you will most likely get a server error. We do not execute code based on these values, nor we do not send any debug information through them.
Even if a malicious user changed the values, they could have either of the outcomes shown in the following video:
http://youtu.be/oq9tmQY3y4c?hd=13
We use the JavaScriptSerializer class from .NET to get the contents of the ClientState fields.
If you think that there is a real security issue, can you please provide the steps to replicate the exploit on our side? Thank you!
Best Regards,
Rumen
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.