Blog | Projects | Photos | About | Contact  

Potential Cross-site Scripting Attack when entering in a Color

Theres a potential XSS attack to watch for when allowing entry of Color values.
The developer division is currently in the middle of a security push. Part of this is to review all code with other developers, and associated QA person and program manager. Yesterday, we were reviewing WebPartManager. We pay extra focus on the rendering logic, to make sure we are not introducing any cross-site scripting attacks. This is especially applicable to WebParts, given we have Web UI to allow the page personalizer and customizer to change the content of the page.

One of the things we discussed was rendering of colors. Our HtmlTextWriter encodes some attributes, and does not encode some other attributes (eg. integers), because they can't possibly contain text or script to induce an attack. We lump colors into the same bucket. Shouldn't an RGB triplet be harmless?

The answer is that it depends... specifically on how the color object was intiialized. If one uses Color.FromName(name), the name is preserved as-is if it does not match a known color, or can't be parsed as an RGB triplet. This is a problem if the name is coming in as part of the request. Consider this code: 
  <asp:TextBox runat="server" id="colorTextBox" />
  <asp:Panel runat="server" id="colorPanel" />
  <asp:Button runat="server" id="okButton" Text="OK" onclick="okButton_Click" />
  <script runat="server">
  void okButton_Click(object sender, EventArgs e) {
      colorPanel.BackColor = Color.FromName(colorTextBox.Text);
  }
  </script>
So if the page user enters in "expression(alert('hi'))" for the color, this will essentially execute the script! This is basically equivalent to the classic and most basic form of cross-site scripting attacks. The rendered HTML looks like: 
  <div style="background-color: expression(alert('hi'))" />
So the first question was whether our built-in PropertyGridEditorPart allowed one to enter such colors (if a particular WebPart had personalizable Color property). The answer thankfully is no. The reason?

We happen to use TypeConverters to convert from string to property type. Turns out the ColorConverter does validate that the color is a valid color. So if I replace the Color.FromName() call to use a TypeConverter instead, I am safe. For example: 
  string colorText = colorTextBox.Text;
  Color color = TypeDescriptor.GetConverter(typeof(Color)).ConvertFromString(colorText);
  colorPanel.BackColor = color;
So the first recommendation is to use the TypeConverter, and not Color.FromName should you accept color values from the user of your Web application. Alternatively check to make sure the color is a valid color. This is all in vein with always validating user input first.

The next obvious question is could we in ASP.NET do something about it? This is still an open question, but it is unclear what specifically to do. Even if we switched the HtmlTextWriter to automatically encode color attributes, it only covers values that contain things like quotes, '&' etc. and you can still enter in expressions and a whole range of script that might not get encoded. Perhaps, we could also encode '(' and ')' and that would cover many more script scenarios, but then they would be encoded in any attribute, and not just colors. I'd love to hear any thoughts that people might have.

Side note: WebPartManager is a pretty huge beast J... second only to Page within System.Web.UI.* in terms of code size!
Posted on Thursday, 12/9/2004 @ 10:42 PM | #ASP.NET


Comments

4 comments have been posted.

Duncan Smart

Posted on 12/10/2004 @ 2:33 AM
I find ColorTranslator a bit easier to use than ColorConverter.

Nikhil Kothari

Posted on 12/10/2004 @ 12:47 PM
Yes, ColorTranslator.FromHtml() also works (and I agree, its easier to read). It goes through the TypeConverter, once its tried the HTML-specific conversions...

David Taylor

Posted on 12/13/2004 @ 4:45 PM
Nikhil,

I noticed the November CTP Visual Studio 2005 drop just appeared (around December 10th) on MSDN Universal. However I have not even heard anyone blog about this being available (it just finished downloading).

Could you clarify if this is the december drop - or if another one is coming? Also, will this be the last drop before Beta 2?

Thanks,

David

Nikhil Kothari

Posted on 12/25/2004 @ 5:30 PM
In response to David's question below... yes, we should have another CTP build available before beta 2 is available.
The discussion on this post has been closed. Please use my contact form to provide comments.
RSS  RSS Feed for this Site

Archives by Category
(All)
Ajax
ASP.NET
Facebook
Life
My Site
Photography
Presentations
Projects/Programming
Script#
Silverlight

Archives by Date
July 2008 (1)
June 2008 (4)
May 2008 (2)
April 2008 (4)
January 2008 (4)
2007 (38)
2006 (38)
2005 (49)
2004 (24)
2003 (26)
Server Controls Book
 

Developing Microsoft ASP.NET Server Controls and Components - the name is a mouthful, but its definitely the book to get if you're developing components for ASP.NET... J
Recent Posts...
Search for Rich Internet Applications
ViewModel Pattern extended with the Dynamic Language Runtime
ViewModel Pattern in Silverlight using Behaviors
Microsoft Source Analysis aka StyleCop
Engineering Excellence Award for Script#
AutoComplete for Silverlight TextBoxes
Silverlight Behaviors
Live Mesh
Script# 0.5 Update and Associated CodePlex Project
Ajax Templates
Ajax vs. Silverlight and .NET
Facebook Client Library built on Script#
HTML 5, the Dialog Tag, and Microformats
HTML 5 Thoughts
All content © Nikhil Kothari.
The content on this site represents my own personal opinions and thoughts at the time of posting, and does not reflect those of my employer's in any way.