Stealin Secrets from Your Favorite Bloggers

Wednesday, May 26, 2004

I ran into this postential security riskwhile doing a security audit of Empower, our content mangement server that will be available for purchase in just a few short weeks, and it turns out to be a common hole that many tools and apps do not protect you from. Most modern web based blogging tools and a host of web site tools include the ability to view referrer information for a given item. The problem is that these tools assume that the incoming urls are valid, so they simply echo them to the screen. Unfortunately, this means that evil users can insert all sorts of nasty scripts into the referrer string and hijack your browser, stealing all sorts of information like domain specific cookies (ie. login info). If you want to see if you are vulnerable, you should go download the referrer spoofing tool over at http://home.wanadoo.nl/lc.staak/quickspoof.htm (and while you're at it, send Rory a nice google wierdos message :-) ). Enter something like http://hacked.com/<script>alert('you have been hacked');</script> and see if you get a dialog box when you look at your referrer logs.

So... how do we fix this? If you are using a datalist or repeater to echo the results, the simplest solution is to HtmlEncode values before sending them to the client:

Instead of:

<%#DataBinder.Eval(Container.DataItem, “Something”)%>

Write:

<%#System.Web.HttpUtility(Convert.ToString(DataBinder.Eval(Container.DataItem, “Something”)))%>

7 Comments

This blog was very useful for me.

mobiliario - Thursday, August 23, 2007 7:06:41 PM

Thanks this is just what I was looking for. However, you missed one piece on the solution. It should be:

The compiler doesn't like it if you leave out the HtmlEncode part. :-)

Jack - Friday, August 24, 2007 1:51:05 PM

To be both a speaker of words and a doer of deeds.

-----------------------------------

ipad accessories must haveDA - Sunday, December 19, 2010 11:49:40 AM

-----------------------------------------------------------
with thanks ! extremely beneficial publish!

best ipad accessories - Sunday, January 9, 2011 4:12:59 AM

I was just searching for this information for some time. Following 6 hours of continuous Googleing, at last I got it inside your web site. I wonder what's the lack of Google strategy that do not rank this type of informative websites in leading of the list. Normally the leading web-sites are full of garbage.

Mickey AvellanedaDA - Friday, July 1, 2011 3:10:09 PM

The following certainly a great internet website you have visiting this web-site. The matter is really beneficial furthermore to direct clear. Ecstatic to learn to read a different recommendation of your blog next time.

Sid DehlDA - Tuesday, July 5, 2011 2:08:11 PM

Hey very nice website!! Man .. Excellent .. Superb ..

sofas baratos - Sunday, December 4, 2011 1:05:18 AM

Comments have been disabled for this content.