Stealin Secrets from Your Favorite Bloggers

I ran into this postential security riskwhile doing a security audit of Empower, our content mangement server that will be available for purchase in just a few short weeks, and it turns out to be a common hole that many tools and apps do not protect you from. Most modern web based blogging tools and a host of web site tools include the ability to view referrer information for a given item. The problem is that these tools assume that the incoming urls are valid, so they simply echo them to the screen. Unfortunately, this means that evil users can insert all sorts of nasty scripts into the referrer string and hijack your browser, stealing all sorts of information like domain specific cookies (ie. login info). If you want to see if you are vulnerable, you should go download the referrer spoofing tool over at http://home.wanadoo.nl/lc.staak/quickspoof.htm (and while you're at it, send Rory a nice google wierdos message :-) ). Enter something like http://hacked.com/<script>alert('you have been hacked');</script> and see if you get a dialog box when you look at your referrer logs.

So... how do we fix this? If you are using a datalist or repeater to echo the results, the simplest solution is to HtmlEncode values before sending them to the client:

Instead of:

<%#DataBinder.Eval(Container.DataItem, “Something”)%>

Write:

<%#System.Web.HttpUtility(Convert.ToString(DataBinder.Eval(Container.DataItem, “Something”)))%>

7 Comments

Comments have been disabled for this content.