Java Script Injection in MVC

I set up a Hello World project based on the webcast found here.  I set up a model, a controller, and a view and tried to run a simple JavaScript injection to see if I could replicate the error.  However, I could not get the attack to work because the MVC layers protection on out of the box.

 

This is great – but in the name of understanding, I started rolling back the protections to get my attack to work.  I first thought I had to add a ValidateRequest = false in my page and web.config, just as the error page directed.   I added this

<%@ Page Title="" ValidateRequest="false" Language="C#" …

 to the page but I got the same Server Error.  I checked the web.config and found that the ValidateRequest is already off for the pages

<add verb="*" path="*.mvc" validate="false"

 I then realized that I needed to disable validation on the controller like this.

    [ValidateInput(false)]

    public class CommentsController : Controller

That got me closer – I would then enter in tags and the data was persisting to the database:

 

A quick glance at the auto-generated code in the View told me that the Html.Encode is applied out of the box – which protects you from the script running (< is &lt, etc…)

<%= Html.Encode(Model.CommentDesc) %>

Once I remove the encode statement, I got closer to the desired attack – the JavaScript was running on my page from the data in the database – however, the closing tag was not rendered so I got this error:

 

 

And the offending code looked like this:

 

I am at a high enough wall to stop this endeavor for now.  Suffice to say, with the out of the box features of MVC, sites should be reasonably protected from JavaScript injections.

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: