November Happy Hour will be moved to Thursday December 5th.

AI OnAI Off

Episerver with Webapi and Reflected Cross site scripting (XSS)

Asim Saeed
Asim Saeed
Vote:
 

When using episerver with WebApi - it enable api controller for Reflected Cross site scripting (XSS) vulnerability.

When access resource via '/api/mycontroller/? <script>alert('hi');</script> '


result in 

No HTTP resource was found that matches the request URI 'http://localhost:8888/api/mycontroller/?"> <script>alert("hi");""></script> '.
No action was found on the controller 'GoldStandardTwitterFeed' that matches the request.

Reflected Cross site scripting (XSS) vulnerability. in response.

Note that the script tags are in the xml\JSON source.

If I drop the question mark, /api/mycontroller/. I'm getting correct HttpException.

"A potentially dangerous Request.Path value was detected from the client (<)."></).">

Doesn it due to default Episerver routes configuration, is any way to prevent this?  It's only happen when using webapi with Episerver

Default Route 

Routes.MapHttpRoute(
    "DefaultApi", 
    "api/{controller}/{id}", 
     new { id = RouteParameter.Optional 
});

Controller 

public class DefaultAPIController : ApiController
{
	
	public IEnumerable Get()
	{
		return new string[] { "value1", "value2" };
	}

}

[Pasting files is not allowed]

#178744
Edited, May 19, 2017 17:13
Vote:
 

"A potentially dangerous Request.Path" I think is from ASP.NET not from Epi.

Who consumes the API? You could add for example bearer token authentication or reqeust forgery protection or just filter input by some AntiXSS function.

#178913
May 26, 2017 9:21
Asim Saeed
Asim Saeed
Vote:
 

Thanks Johan, It has been resolve. It's puplic page so can't used Bearer Token . Issue was default respose on 404 which include un decoded query string due to generic api route settings  '

api/{controller}/{id}"

We have encoded the respose and clear the respose.

#178919
May 26, 2017 10:19
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.