Last active
November 10, 2019 21:04
-
-
Save DinisCruz/3fa6893bc85a9fcacdf6 to your computer and use it in GitHub Desktop.
Confirming which ASP.NET controls are vulnerable to XSS via the .Text propert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public static class HtmlControls_ExtensionMethods | |
{ | |
public static string renderControl(this Control control) | |
{ | |
var stringBuilder = new StringBuilder(); | |
using (var stringWriter = new StringWriter(stringBuilder)) | |
using (var htmlTextWriter = new HtmlTextWriter(stringWriter)) | |
control.RenderControl(htmlTextWriter); | |
return stringBuilder.str(); | |
} | |
} | |
[TestFixture] | |
class XSS_Web_Controls | |
{ | |
[Test] | |
public void HtmlTitle() | |
{ | |
var html_Before = "<title>\r\n\t"; | |
var html_After = "\r\n</title>"; | |
Func<string, string> render_Payload = (payload) => | |
{ | |
var htmlTitle = new HtmlTitle {Text = payload}; | |
return htmlTitle.renderControl(); | |
}; | |
Action<string> test_Payload = (payload) => | |
{ | |
render_Payload(payload).assert_Is(html_Before + payload + html_After); | |
}; | |
test_Payload("aa '\"> bb <b1> cc "); | |
test_Payload("<script>alert(42)</script>"); | |
test_Payload("aaa</title></head><body><img src=xxx onerror=alert(42) />"); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public static class HtmlControls_ExtensionMethods | |
{ | |
public static string render_Control(this Control control) | |
{ | |
var stringBuilder = new StringBuilder(); | |
using (var stringWriter = new StringWriter(stringBuilder)) | |
using (var htmlTextWriter = new HtmlTextWriter(stringWriter)) | |
control.RenderControl(htmlTextWriter); | |
return stringBuilder.str(); | |
} | |
public static string set_Text_and_Render_Control<T>(this T control, string text) where T : Control | |
{ | |
control.invoke("set_Text", text); | |
return control.render_Control(); | |
} | |
public static T assert_Text_Render<T>(this T control, string html_Before, string html_After, string text) where T : Control | |
{ | |
control.set_Text_and_Render_Control(text).assert_Is(html_Before + text + html_After); | |
return control; | |
} | |
} | |
[TestFixture] | |
class XSS_Web_Controls | |
{ | |
string payload_1 = "aa '\"> bb <b1> cc "; | |
string payload_2 = "<script>alert(42)</script>"; | |
string payload_3 = "aaa</title></head><body><img src=xxx onerror=alert(42) />"; | |
[Test] | |
public void HtmlTitle() | |
{ | |
var html_Before = "<title>\r\n\t"; | |
var html_After = "\r\n</title>"; | |
new HtmlTitle().assert_Text_Render(html_Before, html_After, payload_1) | |
.assert_Text_Render(html_Before, html_After, payload_2) | |
.assert_Text_Render(html_Before, html_After, payload_3); | |
} | |
[Test] | |
public void Literal() | |
{ | |
var html_Before = ""; | |
var html_After = ""; | |
new Literal().assert_Text_Render(html_Before, html_After, payload_1) | |
.assert_Text_Render(html_Before, html_After, payload_2) | |
.assert_Text_Render(html_Before, html_After, payload_3); | |
} | |
[Test] | |
public void LinkButton() | |
{ | |
var html_Before = "<a>"; | |
var html_After = "</a>"; | |
new LinkButton().assert_Text_Render(html_Before, html_After, payload_1) | |
.assert_Text_Render(html_Before, html_After, payload_2) | |
.assert_Text_Render(html_Before, html_After, payload_3); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment