A client of ours has run a security scan on a site we've built for them in Umbraco 6.2.5 and what they deem to be a blocker issue has come up in the scan.
When requesting any URL in the site with a querystring which includes HTML (specifically, in this case, an HTML comment), by any means other than a browser, for example wFetch, a YSOD is returned from the server, stating,
"A potentially dangerous Request.Querystring was detected from the client (upc="<!--")."
We already have custom error handling in place in the web.config which works fine in various other scenarios -- but sadly, not in this case. To reiterate: the custom error handling does work using a browser but not via direct HTTP.
Does anyone out there have any experience on how to prevent this kind of attack in Umbraco? It's new to me and I haven't managed to find anything useful on the Googles regarding the issue. Any help or advice you could offer would be greatly appreciated!
to protect you from malicious html injected attacks.
The article above shows how to turn this off, however you probably want to keep it in place and just handle the error more gracefully to the user,
You can do this by handling the error at the application level (https://msdn.microsoft.com/en-gb/library/24395wz3(v=vs.100).aspx)
eg
void Application_Error(object sender, EventArgs e)
{
Exception ex = Server.GetLastError();
if (ex is HttpRequestValidationException)
{
Response.Clear();
Response.StatusCode = 200;
Response.Write(@"
<html><head><title>HTML Not Allowed</title>
<script language='JavaScript'><!--
function back() { history.go(-1); } //--></script></head>
<body style='font-family: Arial, Sans-serif;'>
<h1>Oops!</h1>
<p>I'm sorry, but HTML entry is not allowed on that page.</p>
<p>Please make sure that your entries do not contain
any angle brackets like < or >.</p>
<p><a href='javascript:back()'>Go back</a></p>
</body></html>
");
Response.End();
}
}
Yes, we definitely want to keep this in place and choose what to show the user, that is the goal. Specifically, they want to just redirect to a 404, the same thing we do in the custom error handling.
It seems from the above that I would need the Umbraco source, though? I can't seem to locate the C# codebehind file (Global.asax.cs) in my project. I'm sorry but I think I need a bit more hand-holding with regards to how to go about implementing this. For starters, this code would need to be compiled, wherever it lives, yes?
ie by default the global.asax currently takes it's code from the UmbracoApplication class.
So if you create a new class (are you using Visual Studio ?) that inherits from Umbraco.Web.UmbracoApplication; and set this in the global.asax, you can then override 'onApplicationError'... to fish for the HttpRequestValidationException.
eg: your custom global class would I think probably look something like this:
namespace MyLovelyNamespace
{
public class MyLovelyGlobal : UmbracoApplication
{
protected override void OnApplicationError(object sender, EventArgs e)
{
var error = HttpContext.Current.Server.GetLastError();
if (error is HttpRequestValidationException){
Response.Clear();
Response.StatusCode =404;
Response.End();
//or redirect to friendly page
}
}
}
}
and you would update your global.asax to inherit from this custom class
It does make sense, yes it does :) In particular, the code. However, to back up our perspective a little here, where would this class live, and would I need to start with the entire Umbraco source and recompile it, or can it be done as its own "plug-in" assembly? Am I even asking this coherently? This is beyond the scope of what I've so far done with Umbraco.
It depends on how you have your site setup for development / web application / website, as to where this code would go in your existing setup...
You don't need to download the source of Umbraco to be enable you to inherit from this class.
Maybe it will be more straightforward for you to create a new class library / web application project in Visual Studio outside of your site project; add the umbracoCMS core dlls using Nuget:
Then add the custom global class code: compile, and drop the compiled dll into the bin folder of your website, adjust the global.asax inherits statement of the website to point to the namespace&class of your custom global code.
I've created an example solution here, which eventually seemed to work...
Wow, I cannot thank you enough for the deep dive, Marc! This is fantastic as a learning tool. This is what I'll follow depending on your reaction to what i am about to tell you.
In regards to my last comment and the error I was getting, I added the following line inside ~/App_Code/Global.asax.cs (new file):
if (error is HttpRequestValidationException) {
HttpContext.Current.Server.ClearError();
.....
}
And now when I add the querystring containing the offending HTML, the application-level error we've been talking about is apparently caught because it is now redirecting to the specified 404 page instead of showing the ("potentially dangerous Request.Querystring was detected") YSOD.
I am not one to look a gift horse in the mouth, but may I ask why this would work, given that I did not compile anything?
I get it. It's specifically designed to override at runtime. Exactly what I needed. But your mock solution will be VERY helpful for me as a building block in my Umbraco learning. Thank you again, Marc. I sincerely appreciate the extra mile. CHEERS!
Handling Querystring HTML/Comment Attacks
Hey Umbraco pros!
A client of ours has run a security scan on a site we've built for them in Umbraco 6.2.5 and what they deem to be a blocker issue has come up in the scan.
When requesting any URL in the site with a querystring which includes HTML (specifically, in this case, an HTML comment), by any means other than a browser, for example wFetch, a YSOD is returned from the server, stating,
We already have custom error handling in place in the web.config which works fine in various other scenarios -- but sadly, not in this case. To reiterate: the custom error handling does work using a browser but not via direct HTTP.
Does anyone out there have any experience on how to prevent this kind of attack in Umbraco? It's new to me and I haven't managed to find anything useful on the Googles regarding the issue. Any help or advice you could offer would be greatly appreciated!
Thanks in advance,
Garrett
Hi Garrett
What you are falling fowl of is ASP.Net's Request Validation:
https://msdn.microsoft.com/library/hh882339%28v=vs.100%29.aspx?f=255&MSPPError=-2147217396
to protect you from malicious html injected attacks.
The article above shows how to turn this off, however you probably want to keep it in place and just handle the error more gracefully to the user,
You can do this by handling the error at the application level (https://msdn.microsoft.com/en-gb/library/24395wz3(v=vs.100).aspx)
eg
Thanks for your reply, Marc!
Yes, we definitely want to keep this in place and choose what to show the user, that is the goal. Specifically, they want to just redirect to a 404, the same thing we do in the custom error handling.
It seems from the above that I would need the Umbraco source, though? I can't seem to locate the C# codebehind file (Global.asax.cs) in my project. I'm sorry but I think I need a bit more hand-holding with regards to how to go about implementing this. For starters, this code would need to be compiled, wherever it lives, yes?
//Garrett
Hi Garrett
You should have a global.asax file in the root of the site, if you open it up you should see something like the following:
ie by default the global.asax currently takes it's code from the UmbracoApplication class.
So if you create a new class (are you using Visual Studio ?) that inherits from Umbraco.Web.UmbracoApplication; and set this in the global.asax, you can then override 'onApplicationError'... to fish for the HttpRequestValidationException.
eg: your custom global class would I think probably look something like this:
if (error is HttpRequestValidationException){ Response.Clear(); Response.StatusCode =404; Response.End(); //or redirect to friendly page } } } }
and you would update your global.asax to inherit from this custom class
if that makes sense ?
It does make sense, yes it does :) In particular, the code. However, to back up our perspective a little here, where would this class live, and would I need to start with the entire Umbraco source and recompile it, or can it be done as its own "plug-in" assembly? Am I even asking this coherently? This is beyond the scope of what I've so far done with Umbraco.
Thank you again Marc,
Garrett
Where shall I create my custom global class?
//Garrett
I created the class in ~/App_Code/Global.asax.cs but am getting a compilation error saying:
My ~/App_Code/Global.asax.cs file contents:
What am I doing wrong?
Thanks again,
Garrett
Hi Garrett
It depends on how you have your site setup for development / web application / website, as to where this code would go in your existing setup...
You don't need to download the source of Umbraco to be enable you to inherit from this class.
Maybe it will be more straightforward for you to create a new class library / web application project in Visual Studio outside of your site project; add the umbracoCMS core dlls using Nuget:
https://www.nuget.org/packages/UmbracoCms.Core/6.2.5
Then add the custom global class code: compile, and drop the compiled dll into the bin folder of your website, adjust the global.asax inherits statement of the website to point to the namespace&class of your custom global code.
I've created an example solution here, which eventually seemed to work...
https://www.dropbox.com/s/pio8xonexwcd3ro/CustomGlobal.zip?dl=0
if that gives you the gist / starting point.
cheers
Marc
Wow, I cannot thank you enough for the deep dive, Marc! This is fantastic as a learning tool. This is what I'll follow depending on your reaction to what i am about to tell you.
In regards to my last comment and the error I was getting, I added the following line inside ~/App_Code/Global.asax.cs (new file):
And now when I add the querystring containing the offending HTML, the application-level error we've been talking about is apparently caught because it is now redirecting to the specified 404 page instead of showing the ("potentially dangerous Request.Querystring was detected") YSOD.
I am not one to look a gift horse in the mouth, but may I ask why this would work, given that I did not compile anything?
Continued thanks,
Garrett
Hi Garrett
The App_Code folder is a magic folder!!
This article I think explains it well-ish:
http://vishaljoshi.blogspot.co.uk/2009/07/appcode-folder-doesnt-work-with-web.html
regards
Marc
I get it. It's specifically designed to override at runtime. Exactly what I needed. But your mock solution will be VERY helpful for me as a building block in my Umbraco learning. Thank you again, Marc. I sincerely appreciate the extra mile. CHEERS!
//Garrett
Hey @marcemarc!
Do you mind taking a look at this issue?
https://our.umbraco.org/forum/developers/extending-umbraco/75095-magic-app_code-folder-and-codebehinds-with-masterpages
I'm sort of stuck because I feel like I'm doing this correctly....
//Garrett
is working on a reply...