An attacker can take advantage of uneducated developers and look for
cases in which Web Forms have been misused.
Causing XSS by Targeting ASP.Net Web
Form Control Properties
Popularity: 8
Simplicity: 7
Impact: 8
Risk Rating: 9
One common mistake is believing that the default controls will perform automatic
HTML encoding. While some controls do encode output, many do not. If user data is
directly supplied as the text value for a control, it will often lead to a script injection vulnerability.
An example control that does not provide output encoding is the Label control.
This control is used to display text on a web page. When user data is assigned to the
Text property of the control, the data will be inserted directly into the web page. If an
attacker submits data containing script, then a XSS vulnerability would likely result.
HTML Encode User-supplied Data Before Assigning the Value
to ASP.Net Web Form Control Output Properties
Counter to the Label control is the DropDownList control, which will automatically
encode items within it. This means that user data can be safely placed into a
Chapter 5: .Net Security 127
DropDownList without worrying about the possibility of script injection.
Pages:
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249