2
votes

I have been using the Zed Attack Proxy (ZAP) to test a new application being developed. The App is ASP.NET MVC4 based using the standard HTML helpers where ever possible.

ZAP has identified the following alert:

Cross Site Scripting (Reflected)

GET:  localhost:65227/CashReceipt?SearchText=javascript%3Aalert%281%29%3B

On this page we have a list of receipts and a search box whereby a user can search by receipt number.

When this page is called using the link above, the following Razor builds the relevant part of the page:

@using (Html.BeginForm("Index", "CashReceipt", FormMethod.Get, new { @class = "form-inline", @role = "form" }))
{
<div class="form-group">
    <label class="hidden-label" for="SearchText">Search For</label>
    @Html.TextBoxFor(m => m.SearchText, new { @class = "form-control input-lg", @placeholder = "Receipt Number" })
</div>
<input type="submit" value="Search" class="btn btn-primary btn-lg" />
}

the HTML generated is:

<input class="form-control input-lg" id="SearchText" name="SearchText" placeholder="Receipt Number" type="text" value="javascript:alert(1);" />

The page rendered appears as:

enter image description here

This does not result in an actual alert box being displayed within the browser, just the text is reflected back.

Is this an XSS issue that needs to be resolved? If so, how?

1

1 Answers

1
votes

No it is not an XSS issue since the javascript alert is not executed. Razor Html helpers properly encode and decode text to stop this from happening by default.