XSS Attacks in ASP.NET Core

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to the Rock coding YouTube channel my name is Anton and today we're going to take a look at cross-site scripting it's an attack Vector where the attacker is capable of executing JavaScript remotely using your application there is another attack Vector that is currently happening with the sun slowly looming over my window so I don't have too much time to record this video as I'm not going to be able to see my screen there's quite a bit of material out there on cross-site scripting so I'm gonna specifically focus on what can happen in the.net world what is handled what's not handled and what specifically do you need to watch out for to make sure that perhaps you don't have cross-site scripting vulnerabilities in your application don't forget if you're enjoying the video like And subscribe that helps out the channel massively if you have any questions or want to join the community go ahead and join the Discord server link is in the description alongside with my shop and courses go ahead and check them out thank you for tuning in and let's get started using at the beginning already tuning in I don't know whatever here's the web app application we have a couple of scenarios and then we have the program CS file which is just the main program CS file the things that we have here is we're adding signalr and Razer Pages we then have a regular endpoint to get some information out of the database so I didn't add a database specifically all I have is a static field that I can edit this is meant to emulate something being stored in the database so whenever you see us interacting with the user just understand that that is meant to simulate interacting with the database we then have a chat Hub where it's pretty much a copy pasta from their documentation of us building a chat application if you want to learn more about signalr I have a whole playlist about covering multiple scenarios so go ahead and check it out link will be in the description we then have a couple of endpoints for either updating the name or then updating the image and then we memorize your pages and hubs let's close this off and open up index and just take a look at how cross-site scripting happens here you can see that if the message is not null go ahead and display the raw message if I open up index and index CS HTML this is a typical thing that you could see sometimes where an action happens on one page you redirect to another page and you want to send some kind of message along like success well done step completed order placed whatever whatever message you decide to pass along from one page to another through the query that can potentially be abused by an attacker but it depends on how you implement it so over here we're just saying template raw HTML okay I have the web application running here we are on the index page and let's say if I do something along the lines of message equals hello we'll just see that this being templated in right and if I say that it's a paragraph hopefully none of you are putting HTML in your query restraints this sort of thing will happen now there is another file over here called The Danger Zone and it's pretty much executing something along the lines of this where you have your script tag we want to grab this we'll come back to the browser we will execute this here and we will get URI encoded script HTML element and if we pass this into this well message query we go here and we can see that whatever JavaScript was in there got injected this is the premise I have a script element I have my JavaScript over here and as long as I can execute this alert I can execute any JavaScript so to test for vulnerabilities you don't need a lot and if you're still wandering around well you can execute JavaScript remotely and if you just have this alert I still can't see what the problem is with being able to execute JavaScript remotely well let's say you're using your banking application and somebody sends you JavaScript remotely and forces you to send money across to another account without you even taking any actions I remember there was a situation with chess.com where you can essentially send a chat message and through that chat message you can force your opponent to resign which basically means you win the game so not only can you execute fetch requests you can essentially script interactions with the page and perform actions on behalf of the user which is using the page so hopefully it is clear that even if you are capable of checking if an alert is possible through cross-site scripting that opens up doors for tons and tons of vulnerabilities in this situation we're doing something silly we are specifically saying go ahead and print raw HTML what razor pages and many other library or framework vendors will actually do is it they will prevent cross-site scripting and cross-site scripting is analogous to to SQL injection you can think of this as script injection here we're essentially using the equivalent of string interpolation in our SQL query okay if you do something along the lines of this where you're saying model message and you're not using just straight up raw HTML that you're putting in there with that refreshed you just get text right nothing is happening over here asp.net core basically handles it closing this off let's go to the attack Vector via database so this is where we're trying to display a customer's name and again please note we're using HTML raw and that is because there is sometimes a notion of pre-rendering whatever you're going to display I know not many people do it but it is sometimes happening if you think back to a lot of jQuery stuff where you had HTML being rendered on the back end and then you just insert that HTML that is essentially across site scripting all you can eat buffet so anyway here we're gonna update the name so let's come back we're gonna go to Via database here we can see we're welcoming Tony if I grab the endpoint API update name come back over here for a lace about yay much so we've updated the name we refresh and the script tag has been templated into HTML and executed by the browser not good hopefully a lot of you are just using apis and are returning data and all of your data is rendered through react or vue.js or something along the lines of that again if we wouldn't rely on the HTML coming from the back end this attack Vector doesn't work so again string interpolation bad html.raw is essentially string interpolation but for HTML HTML interpolation if you want to call it okay so closing via database let's take a look at Via database and image so we're doing two things here we have an image that we're just trying to display from the database and it looks fairly harmless although can be exploited depending on how you use this the other scenario that I have over here in the danger zone is you have an image you don't specify the source and then you put the on error Clause where the script gets executed the way that you basically add this script to something like this is the same way that SQL injection works again think about SQL injection JavaScript injection almost the same thing in the program CS over here I am displaying the image and if the attacker is somehow capable of basically setting the URL escaping it and then providing the JavaScript over here so you can imagine the same way that an SQL query will get closed off you will get a quote somewhere in the middle here and then the rest of the HTML will follow but again the asp.net core framework is actually good at handling this sort of stuff so let's take a look at how this looks like we're gonna come back to the browser via database image there I am so update image where we'll come back refresh and there is so the image just doesn't get displayed if we take a look at the element it will escape the strings and this will just essentially be one big string and the on air will not be placed as an additional attribute on the image element now if you're coming from the raw JavaScript side this is going to be the next thing over here we have a couple of things we have the same scenario as an index we're just basically trying to pass in some script that we're gonna assign to some inner HTML we then try to fetch the user securely and append the image or we try to fetch the user unsecurely and here the lesson is pretty much are you opting in for string HTML SQL interpolation where injection is possible or are you using the provided apis to you properly let's take a look at the effect so first of all let's try to send something to here so via Js a s nothing in the URL we're going to come to the danger zone we're gonna grab this message over here we're going to say question mark a message and I already have the query over there but here's what happens so if we take a look at the div this is the regular script and in the div Target where stuff should have been appended we have the p and the script so even though you're templating in the inner HTML over here modern browsers are generally good at figuring out that you're adding a script tag and that is not going to be executed however if we try to now fetch user secure again we will be appending an image to the Target we're gonna go to console to fetch user secure but we'll see that there is this image and the same effect as we've seen with razor Pages where it's purely just the string that is added to the SRC if you're relying on proper apis in this case it's document create element set attribute append all is good if you just say Target inner HTML and just interpolate the HTML element nothing is actually stopping the person from inserting the image with injected message into that that is just asking for trouble so let's take a look at the console badge user unsecure execute this and we got injected so nothing actually stops the attacker from passing this image element with injected JavaScript into the inner HTML over here it's just a different way to execute JavaScript so if we take this over here and we replace the script tag with the image tag we are still capable of injecting JavaScript so again the moral of the story is rely on the framework and avoid string interpolation Frameworks will generally try to handle JavaScript injection for you also the sun injection on my screen is getting pretty mad so let's move on over to Signal art pretty much more of the same here we have a page where we're going to be putting in messages we're establishing a connection we're then accepting a message and what we're doing is we're just appending a child here we can note that we're using the proper document API and we're assigning the text content the send function over here is what we're going to use to send the message to the backend so to program CS we'll send the message over here and then we'll distribute the message back to the clients so we will accept the message over here and then we're all just appended to this Li element and then it's going to go into this UL all right so let's come back let's go to Via signal R console I'm gonna use send to send a test message cool if we come back now we go to the danger zone we grab the script are we capable of sending this script across back ticks over here so we send the full screen at the screen script so there is the script so that's all good and basically the moral of the story is here that you're injecting this as text and it will just be rendered as text okay if you decide to be smart or you just don't know and you're like oh I'm gonna send HTML from my backend duplicate the text content we'll comment this out and we will set the inner HTML to the message so after restarting let's go ahead and try to send the script browser handles this one and then if we send the image that gets injected and that is pretty much all there is to it the reason cross-site scripting can be possible in your application is because you're enabling the communication with HTML you're essentially storing or creating HTML on your back end and then returning that to be inserted somewhere on the front end especially through JavaScript if you are sending HTML back and forth you want to make sure that you're sanitizing it on the server side or you're using some kind of library that sanitizes it on the front end before attaching it to the Dom the second reason is your mishandling user are input let's say with the image example how can somebody actually put on error into the database so then it actually renders in somebody's browser and executes that JavaScript remotely let's say You're Building A crud application and you have a special endpoint for the image upload but then you have a second endpoint which well because it's crud it's going to take the whole user payload including the URL of the image and on the back end for some reason you're just allowing the setting of the image even though you're not passing it along in the form if somebody is capable of inspecting the network tab in the browser and seasonal so you're just passing along this image can I just put some bogus in there and then that bogus ends up in the browser and suddenly they can inject JavaScript by somebody visiting your profile page this will be it for this video thank you very much for watching if you enjoyed it don't forget leave a like And subscribe but make sure to check out the description a very big thank you to all of my patreon supporters they help me bring these videos to you if you would also like to help me make these videos as well as get the source code for this video as well as my other videos please come support me on my patreon as always thank you for watching have a good day

Info

Channel: Raw Coding

Views: 7,529

Rating: undefined out of 5

Keywords: xss, cross site scripting, .net, aspdotnet, asp .net core, c#, csharp, xss attack, dom-based, reflective, stored

Id: h8Kbfy8Ciio

Channel Id: undefined

Length: 14min 9sec (849 seconds)

Published: Wed Apr 12 2023