Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Garrett Fisher 341 posts 496 karma points
    Dec 14, 2015 @ 21:16
    Garrett Fisher
    0

    Handling Querystring HTML/Comment Attacks

    Hey Umbraco pros!

    A client of ours has run a security scan on a site we've built for them in Umbraco 6.2.5 and what they deem to be a blocker issue has come up in the scan.

    When requesting any URL in the site with a querystring which includes HTML (specifically, in this case, an HTML comment), by any means other than a browser, for example wFetch, a YSOD is returned from the server, stating,

    "A potentially dangerous Request.Querystring was detected from the client (upc="<!--")."
    

    We already have custom error handling in place in the web.config which works fine in various other scenarios -- but sadly, not in this case. To reiterate: the custom error handling does work using a browser but not via direct HTTP.

    Does anyone out there have any experience on how to prevent this kind of attack in Umbraco? It's new to me and I haven't managed to find anything useful on the Googles regarding the issue. Any help or advice you could offer would be greatly appreciated!

    Thanks in advance,

    Garrett

  • Marc Goodson 2126 posts 14218 karma points MVP 8x c-trib
    Dec 15, 2015 @ 09:19
    Marc Goodson
    0

    Hi Garrett

    What you are falling fowl of is ASP.Net's Request Validation:

    https://msdn.microsoft.com/library/hh882339%28v=vs.100%29.aspx?f=255&MSPPError=-2147217396

    to protect you from malicious html injected attacks.

    The article above shows how to turn this off, however you probably want to keep it in place and just handle the error more gracefully to the user,

    You can do this by handling the error at the application level (https://msdn.microsoft.com/en-gb/library/24395wz3(v=vs.100).aspx)

    eg

     void Application_Error(object sender, EventArgs e)
            {
                Exception ex = Server.GetLastError();
    
               if (ex is HttpRequestValidationException)
                {
                    Response.Clear();
                    Response.StatusCode = 200;
                    Response.Write(@"
    <html><head><title>HTML Not Allowed</title>
    <script language='JavaScript'><!--
    function back() { history.go(-1); } //--></script></head>
    <body style='font-family: Arial, Sans-serif;'>
    <h1>Oops!</h1>
    <p>I'm sorry, but HTML entry is not allowed on that page.</p>
    <p>Please make sure that your entries do not contain 
    any angle brackets like &lt; or &gt;.</p>
    <p><a href='javascript:back()'>Go back</a></p>
    </body></html>
    ");
                    Response.End();
                }
            }
    
  • Garrett Fisher 341 posts 496 karma points
    Dec 15, 2015 @ 13:31
    Garrett Fisher
    0

    Thanks for your reply, Marc!

    Yes, we definitely want to keep this in place and choose what to show the user, that is the goal. Specifically, they want to just redirect to a 404, the same thing we do in the custom error handling.

    It seems from the above that I would need the Umbraco source, though? I can't seem to locate the C# codebehind file (Global.asax.cs) in my project. I'm sorry but I think I need a bit more hand-holding with regards to how to go about implementing this. For starters, this code would need to be compiled, wherever it lives, yes?

    //Garrett

  • Marc Goodson 2126 posts 14218 karma points MVP 8x c-trib
    Dec 15, 2015 @ 17:03
    Marc Goodson
    0

    Hi Garrett

    You should have a global.asax file in the root of the site, if you open it up you should see something like the following:

    <%@ Application Inherits="Umbraco.Web.UmbracoApplication" Language="C#" %>
    

    ie by default the global.asax currently takes it's code from the UmbracoApplication class.

    So if you create a new class (are you using Visual Studio ?) that inherits from Umbraco.Web.UmbracoApplication; and set this in the global.asax, you can then override 'onApplicationError'... to fish for the HttpRequestValidationException.

    eg: your custom global class would I think probably look something like this:

    namespace MyLovelyNamespace
    {
        public class MyLovelyGlobal : UmbracoApplication
        {
            protected override void OnApplicationError(object sender, EventArgs e)
            {
                var error = HttpContext.Current.Server.GetLastError();
    

    if (error is HttpRequestValidationException){ Response.Clear(); Response.StatusCode =404; Response.End(); //or redirect to friendly page } } } }

    and you would update your global.asax to inherit from this custom class

    <%@ Application Codebehind="Global.asax.cs" Inherits="MyLovelyNamespace.MyLovelyGlobal" Language="C#" %>
    

    if that makes sense ?

  • Garrett Fisher 341 posts 496 karma points
    Dec 15, 2015 @ 17:11
    Garrett Fisher
    0

    It does make sense, yes it does :) In particular, the code. However, to back up our perspective a little here, where would this class live, and would I need to start with the entire Umbraco source and recompile it, or can it be done as its own "plug-in" assembly? Am I even asking this coherently? This is beyond the scope of what I've so far done with Umbraco.

    Thank you again Marc,

    Garrett

  • Garrett Fisher 341 posts 496 karma points
    Dec 16, 2015 @ 16:43
    Garrett Fisher
    0

    Where shall I create my custom global class?

    //Garrett

  • Garrett Fisher 341 posts 496 karma points
    Dec 16, 2015 @ 17:06
    Garrett Fisher
    0

    I created the class in ~/App_Code/Global.asax.cs but am getting a compilation error saying:

    The type or namespace name 'EventArgs' could not be found (are you missing a using directive or an assembly reference?)
    

    My ~/App_Code/Global.asax.cs file contents:

    namespace MyLovelyNamespace
    {
        public class MyLovelyGlobal : Umbraco.Web.UmbracoApplication
        {
            protected override void OnApplicationError(object sender, EventArgs e)
            {
                var error = HttpContext.Current.Server.GetLastError();
                if (error is HttpRequestValidationException){
                    Response.Clear();
                    Response.StatusCode = 404;
                    Response.End(); //or redirect to friendly page
                }
            }
        } 
    }
    

    What am I doing wrong?

    Thanks again,

    Garrett

  • Marc Goodson 2126 posts 14218 karma points MVP 8x c-trib
    Dec 17, 2015 @ 07:53
    Marc Goodson
    0

    Hi Garrett

    It depends on how you have your site setup for development / web application / website, as to where this code would go in your existing setup...

    You don't need to download the source of Umbraco to be enable you to inherit from this class.

    Maybe it will be more straightforward for you to create a new class library / web application project in Visual Studio outside of your site project; add the umbracoCMS core dlls using Nuget:

    https://www.nuget.org/packages/UmbracoCms.Core/6.2.5

    Then add the custom global class code: compile, and drop the compiled dll into the bin folder of your website, adjust the global.asax inherits statement of the website to point to the namespace&class of your custom global code.

    I've created an example solution here, which eventually seemed to work...

    https://www.dropbox.com/s/pio8xonexwcd3ro/CustomGlobal.zip?dl=0

    if that gives you the gist / starting point.

    cheers

    Marc

  • Garrett Fisher 341 posts 496 karma points
    Dec 17, 2015 @ 15:56
    Garrett Fisher
    100

    Wow, I cannot thank you enough for the deep dive, Marc! This is fantastic as a learning tool. This is what I'll follow depending on your reaction to what i am about to tell you.

    In regards to my last comment and the error I was getting, I added the following line inside ~/App_Code/Global.asax.cs (new file):

    if (error is HttpRequestValidationException) {
         HttpContext.Current.Server.ClearError();
         .....
    }
    

    And now when I add the querystring containing the offending HTML, the application-level error we've been talking about is apparently caught because it is now redirecting to the specified 404 page instead of showing the ("potentially dangerous Request.Querystring was detected") YSOD.

    I am not one to look a gift horse in the mouth, but may I ask why this would work, given that I did not compile anything?

    Continued thanks,

    Garrett

  • Marc Goodson 2126 posts 14218 karma points MVP 8x c-trib
    Dec 18, 2015 @ 14:21
    Marc Goodson
    1

    Hi Garrett

    The App_Code folder is a magic folder!!

    This article I think explains it well-ish:

    http://vishaljoshi.blogspot.co.uk/2009/07/appcode-folder-doesnt-work-with-web.html

    regards

    Marc

  • Garrett Fisher 341 posts 496 karma points
    Dec 18, 2015 @ 17:43
    Garrett Fisher
    0

    I get it. It's specifically designed to override at runtime. Exactly what I needed. But your mock solution will be VERY helpful for me as a building block in my Umbraco learning. Thank you again, Marc. I sincerely appreciate the extra mile. CHEERS!

    //Garrett

  • Garrett Fisher 341 posts 496 karma points
    Feb 17, 2016 @ 13:17
    Garrett Fisher
    0

    Hey @marcemarc!

    Do you mind taking a look at this issue?

    https://our.umbraco.org/forum/developers/extending-umbraco/75095-magic-app_code-folder-and-codebehinds-with-masterpages

    I'm sort of stuck because I feel like I'm doing this correctly....

    //Garrett

Please Sign in or register to post replies

Write your reply to:

Draft