XSS issue when asp.net C# code is scanned thru fortify tool

Question

XSS issue when asp.net C# code is scanned thru fortify tool

SKana 1

my asp.net c# code when scanned thru fortify tool gave following error:
---The method GetDocument() in RendDoc.ashx.cs sends unvalidated data to a web browser on line 160, which can result in the browser executing malicious code.---
Please let me know how to resolve this issue.
My code is as follows. Fortify is showing issues in 3 lines of code prefixed with ** in below code.

public void GetDocument()

    {

        ServiceClient dm = null;

        SomeService.SomeServiceSoapClient InternalService = null;


        //Use service based on if using Windows Authentication

        if (HttpContext.Current.Request.IsAuthenticated && HttpContext.Current.User.Identity is WindowsIdentity)

            InternalService = new SomeService.SomeServiceSoapClient("ServiceNetTcpEndpoint");

       else

            dm = new ServiceClient("SomeServicewsHttpEndpoint");             

        try
        {
            byte[] DocArray;

            if (dm == null)
            {
                //Wrapper for impersonation

                using (WindowsImpersonationContext cxt = (Thread.CurrentPrincipal.Identity as WindowsIdentity).Impersonate())

                    **DocArray = InternalService.GetFile(DocId);
            }
            else
              **  DocArray = dm.GetFile(DocId); 

            string fileExt2;

            string strConttenType = null;

            fileExt2 = fileExt; 

            strConttenType = GetService.GetContenttype(fileExt2); 

            HttpContext.Current.Response.ClearHeaders();

            HttpContext.Current.Response.ClearContent();

            HttpContext.Current.Response.BufferOutput = true; 

            HttpContext.Current.Response.ContentType = strConttenType; // "application/msword"; // for PDF type 

            HttpContext.Current.Response.AddHeader("Content-Disposition", "inline");

     **       HttpContext.Current.Response.BinaryWrite(DocArray); 

            HttpContext.Current.ApplicationInstance.CompleteRequest(); 

        }

        catch (FaultException ex)
        {
            ExMgr.Publish(ex);

            dm.Abort();
        }
        catch (Exception ex)
        {
            ExMgr.Publish(ex);
        }

THANKS.

Duane Arnold 3,216 Reputation points

2021-06-10T18:10:41.307+00:00

A code analysis scanner can give a false positive. What do you expect .NET to do? The code looks fine to me. And if a browser allows that kind of compromise, the browser shouldn't be used IMHO. Browsers run in protection mode now of days. And many AV solutions have good protection against a browser compromise, but none of it works if the user points and clicks and allows anyway.

There are Q&A tags for ASP.NET you can post to for help. And besides, you're coding the ASHX solution. What? Do you have malicious intent here with your code? :)

https://learn.microsoft.com/en-us/troubleshoot/browsers/enhanced-protected-mode-add-on-compatibility

https://redmondmag.com/articles/2015/05/11/microsoft-edge-browser-security.aspx

https://www.prajwaldesai.com/enable-enhanced-protection-in-google-chrome/
Yijing Sun-MSFT 7,096 Reputation points

2021-06-11T08:16:39.577+00:00
Hi @SKana ,
XSS vulnerabilities occur when:

Data enters a web application through an untrusted source. In the case of DOM-based XSS, data is read from a URL parameter or other value within the browser and written back into the page with client-side code. In the case of reflected XSS, the untrusted source is typically a web request, while in the case of persisted (also known as stored) XSS it is typically a database or other back-end data store.

The data is included in dynamic content that is sent to a web user without validation. In the case of DOM-based XSS, malicious content is executed as part of DOM (Document Object Model) creation, whenever the victim's browser parses the HTML page.

You could check if you have private data .
Best regards,
Yijing Sun

Your answer

Duane Arnold 3,216 Reputation points

2021-06-10T18:10:41.307+00:00

A code analysis scanner can give a false positive. What do you expect .NET to do? The code looks fine to me. And if a browser allows that kind of compromise, the browser shouldn't be used IMHO. Browsers run in protection mode now of days. And many AV solutions have good protection against a browser compromise, but none of it works if the user points and clicks and allows anyway.

There are Q&A tags for ASP.NET you can post to for help. And besides, you're coding the ASHX solution. What? Do you have malicious intent here with your code? :)

https://learn.microsoft.com/en-us/troubleshoot/browsers/enhanced-protected-mode-add-on-compatibility

https://redmondmag.com/articles/2015/05/11/microsoft-edge-browser-security.aspx

https://www.prajwaldesai.com/enable-enhanced-protection-in-google-chrome/
Yijing Sun-MSFT 7,096 Reputation points

2021-06-11T08:16:39.577+00:00

Hi @SKana ,
XSS vulnerabilities occur when:

Data enters a web application through an untrusted source. In the case of DOM-based XSS, data is read from a URL parameter or other value within the browser and written back into the page with client-side code. In the case of reflected XSS, the untrusted source is typically a web request, while in the case of persisted (also known as stored) XSS it is typically a database or other back-end data store.

The data is included in dynamic content that is sent to a web user without validation. In the case of DOM-based XSS, malicious content is executed as part of DOM (Document Object Model) creation, whenever the victim's browser parses the HTML page.

You could check if you have private data .
Best regards,
Yijing Sun

Share via

XSS issue when asp.net C# code is scanned thru fortify tool

Your answer