Cross site scripting (XSS) in ASP.NET via ResolveUrl
Description
Cross-Site Scripting (XSS) is a client-side code injection vulnerability that allows attackers to inject malicious scripts into trusted web applications. This specific vulnerability affects ASP.NET applications that use the Control.ResolveUrl method to resolve application-root-relative paths (e.g., ~/path/to/resource) without proper output encoding. When user-controlled input is passed through ResolveUrl and rendered directly to the page, attackers can inject JavaScript that executes in victims' browsers.
Remediation
Implement proper output encoding for all user-controlled data rendered through ResolveUrl. Follow these steps to remediate the vulnerability:
1. Apply HTML Encoding: Use Server.HtmlEncode or HttpUtility.HtmlEncode to encode output before rendering:
// Vulnerable code: string url = Control.ResolveUrl(userInput); Response.Write(url); // Secure code: string url = Control.ResolveUrl(userInput); Response.Write(Server.HtmlEncode(url));
2. Use ASP.NET Encoding Helpers: In Razor views, use the
@: syntax which automatically HTML-encodes output:<!-- Vulnerable --> <a href="<%=ResolveUrl(userInput)%>">Link</a> <!-- Secure (Razor) --> <a href="@Url.Content(userInput)">Link</a>
3. Validate Input: Implement strict input validation to ensure user-provided paths match expected patterns (e.g., whitelist allowed paths).
4. Use Content Security Policy (CSP): Implement CSP headers as a defense-in-depth measure to restrict script execution sources.
5. Review All ResolveUrl Usage: Audit your codebase for all instances of
ResolveUrl, ResolveClientUrl, and similar methods to ensure proper encoding is applied.