Hi,
this is my first post here so if I misplaced it then sorry.
I need advice in preventing errors caused by XSS (Cross-Site Scripting). Our client's security check discovered that RadGrid filters can be vulnerable to XSS. At least when you insert js into the value field of the filter control of the column and then chose a filter type it causes a unhandled exception. Is there some way to handle the exception? I know the filter controls are secured against sql injection but the error caused by XSS is irritating. Especially that on a client we only have js error and the "loading icon" of RadGrid is spinning. Is my assumption that if someone manages to circumvent the 500 error that a XSS attack could be succesful?
Is there any way to implement "Microsoft Anti-Cross Site Scripting Library" for this problem or some other solution?
Attempted js text in filter:
<script>alert(1)</script>
Error in VS2012:
Unhandled exception at line 6, column 84289 in http://localhost:52030/Telerik.Web.UI.WebResource.axd?_TSM_HiddenField_=RadScriptManager1_TSM&compress=1&_TSM_CombinedScripts_=;;System.Web.Extensions,+Version=4.0.0.0,+Culture=neutral,+PublicKeyToken=31bf3856ad364e35:pl-PL:c9cbdec3-c810-4e87-846c-fb25a7c08002:ea597d4b:b25378d2;Telerik.Web.UI,+Version=2013.1.220.45,+Culture=neutral,+PublicKeyToken=121fae78165ba3d4:pl-PL:3e3b0da6-8c39-4d10-9111-25eaee1f7355:16e4e7cd:ed16cbdc:f7645509:86526ba7:874f8ea2:24ee1bba:e330518b:2003d0b8:1e771326:c8618e41:19620875:f46195d3:490a9d4e:bd8f85e4:58366029:8674cba1:7c926187:b7778d6c:c08e9f8a:aa288e2d:e4f8f289:59462f1:a51ee93e
0x800a139e - Microsoft JScript runtime error: Sys.WebForms.PageRequestManagerServerErrorException: A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$rgridPromotions$ctl00$ctl02$ctl03$FilterTextBox_colName="<script>alert(1)</sc...").
Error in IE:
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Timestamp: Mon, 31 Mar 2014 09:12:18 UTC
Message: Sys.WebForms.PageRequestManagerServerErrorException: An unknown error occurred while processing the request on the server. The status code returned from the server was: 500
Line: 6
Char: 84147
Code: 0
URI: http://crr-app1:10000/Telerik.Web.UI.WebResource.axd?_TSM_HiddenField_=RadScriptManager1_TSM&compress=1&_TSM_CombinedScripts_=%3b%3bSystem.Web.Extensions%2c+Version%3d4.0.0.0%2c+Culture%3dneutral%2c+PublicKeyToken%3d31bf3856ad364e35%3apl-PL%3a10a773fc-9022-49ec-acd6-8830962d8cbb%3aea597d4b%3ab25378d2%3bTelerik.Web.UI%2c+Version%3d2013.1.220.45%2c+Culture%3dneutral%2c+PublicKeyToken%3d121fae78165ba3d4%3apl-PL%3a3e3b0da6-8c39-4d10-9111-25eaee1f7355%3a16e4e7cd%3aed16cbdc%3af7645509%3a86526ba7%3a874f8ea2%3a24ee1bba%3ae330518b%3a2003d0b8%3a1e771326%3ac8618e41%3a19620875%3af46195d3%3a490a9d4e%3abd8f85e4%3a58366029%3a8674cba1%3a7c926187%3ab7778d6c%3ac08e9f8a%3aaa288e2d%3ae4f8f289%3a59462f1%3aa51ee93e
this is my first post here so if I misplaced it then sorry.
I need advice in preventing errors caused by XSS (Cross-Site Scripting). Our client's security check discovered that RadGrid filters can be vulnerable to XSS. At least when you insert js into the value field of the filter control of the column and then chose a filter type it causes a unhandled exception. Is there some way to handle the exception? I know the filter controls are secured against sql injection but the error caused by XSS is irritating. Especially that on a client we only have js error and the "loading icon" of RadGrid is spinning. Is my assumption that if someone manages to circumvent the 500 error that a XSS attack could be succesful?
Is there any way to implement "Microsoft Anti-Cross Site Scripting Library" for this problem or some other solution?
Attempted js text in filter:
<script>alert(1)</script>
Error in VS2012:
Unhandled exception at line 6, column 84289 in http://localhost:52030/Telerik.Web.UI.WebResource.axd?_TSM_HiddenField_=RadScriptManager1_TSM&compress=1&_TSM_CombinedScripts_=;;System.Web.Extensions,+Version=4.0.0.0,+Culture=neutral,+PublicKeyToken=31bf3856ad364e35:pl-PL:c9cbdec3-c810-4e87-846c-fb25a7c08002:ea597d4b:b25378d2;Telerik.Web.UI,+Version=2013.1.220.45,+Culture=neutral,+PublicKeyToken=121fae78165ba3d4:pl-PL:3e3b0da6-8c39-4d10-9111-25eaee1f7355:16e4e7cd:ed16cbdc:f7645509:86526ba7:874f8ea2:24ee1bba:e330518b:2003d0b8:1e771326:c8618e41:19620875:f46195d3:490a9d4e:bd8f85e4:58366029:8674cba1:7c926187:b7778d6c:c08e9f8a:aa288e2d:e4f8f289:59462f1:a51ee93e
0x800a139e - Microsoft JScript runtime error: Sys.WebForms.PageRequestManagerServerErrorException: A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$rgridPromotions$ctl00$ctl02$ctl03$FilterTextBox_colName="<script>alert(1)</sc...").
Error in IE:
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Timestamp: Mon, 31 Mar 2014 09:12:18 UTC
Message: Sys.WebForms.PageRequestManagerServerErrorException: An unknown error occurred while processing the request on the server. The status code returned from the server was: 500
Line: 6
Char: 84147
Code: 0
URI: http://crr-app1:10000/Telerik.Web.UI.WebResource.axd?_TSM_HiddenField_=RadScriptManager1_TSM&compress=1&_TSM_CombinedScripts_=%3b%3bSystem.Web.Extensions%2c+Version%3d4.0.0.0%2c+Culture%3dneutral%2c+PublicKeyToken%3d31bf3856ad364e35%3apl-PL%3a10a773fc-9022-49ec-acd6-8830962d8cbb%3aea597d4b%3ab25378d2%3bTelerik.Web.UI%2c+Version%3d2013.1.220.45%2c+Culture%3dneutral%2c+PublicKeyToken%3d121fae78165ba3d4%3apl-PL%3a3e3b0da6-8c39-4d10-9111-25eaee1f7355%3a16e4e7cd%3aed16cbdc%3af7645509%3a86526ba7%3a874f8ea2%3a24ee1bba%3ae330518b%3a2003d0b8%3a1e771326%3ac8618e41%3a19620875%3af46195d3%3a490a9d4e%3abd8f85e4%3a58366029%3a8674cba1%3a7c926187%3ab7778d6c%3ac08e9f8a%3aaa288e2d%3ae4f8f289%3a59462f1%3aa51ee93e
1 Answer, 1 is accepted
0
Hi ,
Comment/remove the Ajax in your page, and you will see the real server side exception. Paste the exception details here and we will review the problem.
Regards,
Vasil
Telerik
Comment/remove the Ajax in your page, and you will see the real server side exception. Paste the exception details here and we will review the problem.
Regards,
Vasil
Telerik
Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.