.net html5 web/cloud/mobile app delivery
| Downloads | Solutions | Store | Contact us
Register /
 
  Forum  Core :: SDK (Vi...  Bug Reports  VisualWebGUI and XSS attacks
Previous Previous
 
Next Next
New Post 5/8/2012 6:42 AM
Resolved
  andreimc
13 posts
No Ranking


VisualWebGUI and XSS attacks 

Hello,

I have a web application that calls Visual Web GUI as follows:
https://www.website.com/visualwebgui/visualwebgui.wgx?value=1

The problem is that the querystring is vulnerable to attacks of type XSS, as follows:
https://www.website.com/visualwebgui/visualwebgui.wgx?value=2833c77f%22%3balert%28/XSS/%29//6a00a849c47

If I try to use UrlEncode then the visualwebgui is not properly initialised anymore.
Could you please tell me if there is a fix for this issue?
Thank you very much in advance.
 

Best regards,

Andrei
 
New Post 5/15/2012 2:07 PM
Accepted Answer 
  palli
14295 posts
1st Level Poster




Re: VisualWebGUI and XSS attacks 

 Hi Andrei,

Welcome to Visual WebGui

Firstly, when you are "calling" Visual WebGui using query parameters, you should preceed the form name with a "post." prefix. For your first url, this would mean you should use http://www.website.com/visualwebgui/post.visualwebgui.wgx?value=1".

Inside the application, you use VWGContext.Current.Arguments to retrieve individual query parameters, so script attacks are not really possible if you validate the parameters. In any case, you can encode the query parameter string in what ever way you choose, provided it has valid query parameter characters after the encoding. You could even base64 encode the whole parameter string, but you would still need one parameter, like for instance

http://www.website.com/visualwebgui/post.visualwebgui.wgx?parm=6464646464646464

If needed, you could even throw in a checksum or some other means that would make it possible for you to guarantee the validity of the query parameters. 

If I misunderstand your point, please explain further.

More on Query parameters here

Hope this helps,

Palli

 

Páll Björnsson - Visual WebGui support team - Email: support@visualwebgui.com
 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  Core :: SDK (Vi...  Bug Reports  VisualWebGUI and XSS attacks
 
Application Development Application Delivery Application Migration Demo Applications
Windows Azure Partners
Visual Studio Partners
CRN Top 100 Cloud Computing Vendors
ComponentSource Bestselling Publisher Awards 2010-2011
VWG was named one of the most influential and innovative technologies in the software industry
Web Development Application Virtualization .NET to Web Live Catalog
.NET RIA Development Cloud Applications VB6 to .NET CompanionKit
.NET HTML5 Applications Enterprise Mobility VB6 to ASP.NET Webmail App
HTML5 Mobile Applications Windows Azure Migration to Azure HTML5 Mobile App
.NET HTML5 Web, Cloud and Mobile application delivery | Sitemap | Terms of Use | Privacy Statement | Copyright © 2005-2012 Visual WebGui®       Visual WebGui weblog on ASP.NET Gizmox Blog Visual WebGui Group on LinkedIn Visual WebGui updates on Twitter Visual WebGui Page on Facebook Visual WebGui YouTube Channel Visual WebGui Platform News RSS