HOWTO: Review Visual InterDev Generated Code for CSSI Vulnerability

ID: Q253120

The information in this article applies to:
  • Microsoft Visual InterDev, version 6.0

SUMMARY

The following article discusses how to identify and correct Visual InterDev applications that are susceptible to CSSI (Cross-Site Scripting Security Issues). Only input which is not correctly validated or formatted makes your application vulnerable to attack.

This article focuses on Visual InterDev Design Time Controls (DTC) and the Script Library. For general guidelines regarding ASP code, please see the following Knowledge Base article:

Q253119 HOWTO: Review ASP Code for Vulnerability for CSSI


MORE INFORMATION

The Visual InterDev DTCs present unique challenges to developers because some of the code is generated automatically. A developer may not be familiar with the specific implementation of the script objects that are generated and any vulnerabilities of them or how to best address them. This article covers all the known issues with the various DTCs, and it also covers possible options for addressing those vulnerabilities.

The issues fall into two specific categories:

  1. DTCs that are scripted to display data from a database, and the database contains input from users.


  2. DTCs that are scripted to display or use data that was submitted from the client.


In both cases, proper validation and encoding of output values prevents a DTC-based page from being used in a CSSI attack.

When using any method of a DTC that retrieves information from that DTC (such as .getCaption, .getText, .Value), when the value was set using user supplied information, the resulting string is not HTMLEncoded. Also, some DTCs that can be bound to a database field display the raw information from the database without encoding. As such, you should HTMLEncode these values when displaying to a browser. For example: 

Response.Write Server.HTMLEncode(Textbox1.value)
If the data is to be used as part of a URL, you should use URLEncode instead. For example: 

Response.Write "<A HREF=http://webserver/webapplication/page.asp?data=" & Server.URLEncode(Textbox1.value) & ">Click here!</A>"
Because there are multiple ways to encode entrusted scripting code characters, you should explicitly set the character set for the page the browser renders. You can do this by inserting a client-side <META> tag in between the <HEAD> tags of your document. For example: 

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset= ISO-LATIN-1">
This can also be done from ASP using the Response.Charset property:


<% Response.Charset= "ISO-LATIN-1" %>


Here are some common examples:

Displaying Sample Code
Value of a Button DTC 
Response.Write Button1.Value()
Caption of a CheckBox DTC 
Response.Write CheckBox1.getCaption()
Caption of a Label DTC 
Response.Write Label1.getCaption()
Text of a ListBox DTC 
Response.Write Listbox1.getText()
Value of an OptionGroup DTC 
Response.Write OptionGroup1.getValue()
Value of a TextBox DTC 
Response.Write Textbox1.Value()


Here are possible solutions for these examples:

Displaying Sample Code
Value of a Button DTC 
Response.Write Server.HTMLEncode(Button1.Value())
Caption of a CheckBox DTC 
Response.Write Server.HTMLEncode(CheckBox1.getCaption())
Caption of a Label DTC 
Response.Write Server.HTMLEncode(Label1.getCaption())
Text of a ListBox DTC 
Response.Write Server.HTMLEncode(Listbox1.getText())
Value of an OptionGroup DTC 
Response.Write Server.HTMLEncode(OptionGroup1.getValue())
Value of a TextBox DTC 
Response.Write Server.HTMLEncode(Textbox1.Value())


The Grid DTC does not HTMLEncode values retrieved from a database. If your database takes user input (for example, a guestbook), you should HTMLEncode your output. This can be done by clicking the the Data tab in the Grid property dialog box, and typing: 

=Server.HTMLEncode([fieldname])
Where fieldname is the name of each field that is displayed for that column. Most DTCs automatically HTMLEncode data retrieved from a database when displaying; some do not. Those controls should make use of additional code to ensure that output to a client is properly HTMLEncoded.

Note: DTCs usually automatically implement the necessary logic to maintain their state during round trips to the server. In the case of the Textbox DTC for example, when the information is round tripped to the server, the Textbox.asp script library page correctly HTMLEncodes the contents of the text box in the process of maintaining the control's state.


REFERENCES

For more information, see the following advisory from the Computer Emergency Response Team (CERT) at Carnegie Mellon University:

http://www.cert.org/advisories/CA-2000-02.html
Please see the following Knowledge Base articles for further information:
Q252985 HOWTO: Prevent Cross-Site Scripting Security Issues For Web Applications
Q253119 HOWTO: Review ASP Code for CSSI Vulnerability
Q253121 HOWTO: Review MTS/ASP Code for CSSI Vulnerability
Q253117 HOWTO: Prevent Internet Explorer and Outlook Express CSSI Vulnerability

Additional query words: kbCSSI

Keywords : kbDSupport kbCSSI
Version : WINDOWS:6.0
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: February 2, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.