Skip to content

Instantly share code, notes, and snippets.

@DinisCruz

DinisCruz/first-version.cs

Last active November 10, 2019 21:04
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save DinisCruz/3fa6893bc85a9fcacdf6 to your computer and use it in GitHub Desktop.
Save DinisCruz/3fa6893bc85a9fcacdf6 to your computer and use it in GitHub Desktop.
Download ZIP
Confirming which ASP.NET controls are vulnerable to XSS via the .Text propert
Raw
first-version.cs
public static class HtmlControls_ExtensionMethods
{
public static string renderControl(this Control control)
{
var stringBuilder = new StringBuilder();
using (var stringWriter = new StringWriter(stringBuilder))
using (var htmlTextWriter = new HtmlTextWriter(stringWriter))
control.RenderControl(htmlTextWriter);
return stringBuilder.str();
}
}
[TestFixture]
class XSS_Web_Controls
{
[Test]
public void HtmlTitle()
{
var html_Before = "<title>\r\n\t";
var html_After = "\r\n</title>";
Func<string, string> render_Payload = (payload) =>
{
var htmlTitle = new HtmlTitle {Text = payload};
return htmlTitle.renderControl();
};
Action<string> test_Payload = (payload) =>
{
render_Payload(payload).assert_Is(html_Before + payload + html_After);
};
test_Payload("aa '\"> bb <b1> cc ");
test_Payload("<script>alert(42)</script>");
test_Payload("aaa</title></head><body><img src=xxx onerror=alert(42) />");
}
Raw
second-version.cs
public static class HtmlControls_ExtensionMethods
{
public static string render_Control(this Control control)
{
var stringBuilder = new StringBuilder();
using (var stringWriter = new StringWriter(stringBuilder))
using (var htmlTextWriter = new HtmlTextWriter(stringWriter))
control.RenderControl(htmlTextWriter);
return stringBuilder.str();
}
public static string set_Text_and_Render_Control<T>(this T control, string text) where T : Control
{
control.invoke("set_Text", text);
return control.render_Control();
}
public static T assert_Text_Render<T>(this T control, string html_Before, string html_After, string text) where T : Control
{
control.set_Text_and_Render_Control(text).assert_Is(html_Before + text + html_After);
return control;
}
}
[TestFixture]
class XSS_Web_Controls
{
string payload_1 = "aa '\"> bb <b1> cc ";
string payload_2 = "<script>alert(42)</script>";
string payload_3 = "aaa</title></head><body><img src=xxx onerror=alert(42) />";
[Test]
public void HtmlTitle()
{
var html_Before = "<title>\r\n\t";
var html_After = "\r\n</title>";
new HtmlTitle().assert_Text_Render(html_Before, html_After, payload_1)
.assert_Text_Render(html_Before, html_After, payload_2)
.assert_Text_Render(html_Before, html_After, payload_3);
}
[Test]
public void Literal()
{
var html_Before = "";
var html_After = "";
new Literal().assert_Text_Render(html_Before, html_After, payload_1)
.assert_Text_Render(html_Before, html_After, payload_2)
.assert_Text_Render(html_Before, html_After, payload_3);
}
[Test]
public void LinkButton()
{
var html_Before = "<a>";
var html_After = "</a>";
new LinkButton().assert_Text_Render(html_Before, html_After, payload_1)
.assert_Text_Render(html_Before, html_After, payload_2)
.assert_Text_Render(html_Before, html_After, payload_3);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment