Cross Site Scripting & Custom Error Pages

[Neil]

Hi,

I have been investigating CSS vulnerabilites within my application and have
a question. If I added malicious script tags to the Url these are
automatically removed from all pages of my application and the user is
redirected to my custom error page. This is all taken care of by the .Net
Runtime and works as expected. However if after being redirected to the
custom error page I append script to the query string this is not removed and
I'm presented with the default page telling me to create a custom error page,
I guess you can't have a custom error page for a custom error page... My
question is should I be concerned about this? Should the script tags not be
removed?

Thanks

[Peter Blum]

Its good to see someone actually paying attention to this common hacking
technique. Microsoft promoted the heck out of the issue last year and as
this message board indicates, it fell on deaf ears.

I didn't understand what you meant here. How exactly are you appending the
script and where is it directed?

> However if after being redirected to the
> custom error page I append script to the query string this is not removed
> and
> I'm presented with the default page telling me to create a custom error
> page,
> I guess you can't have a custom error page for a custom error page

You are correct that you cannot have a custom error page for a custom error
page.
You can turn off the validationRequest property on the custom error page so
it never looks at the incoming script (because its harmless to that page).
<@ Page validationRequest=false >

FYI: I built "Visual Input Security", a tool for ASP.NET developers to
install protection against XSS, SQL injection and other input attacks using
best practice techniques. It includes report that audits your pages for
holes, logging feature, and validators that block attacks better and on a
field-by-field basis. [url]http://www.peterblum.com/vise/home.aspx[/url].

--- Peter Blum
[url]www.PeterBlum.com[/url]
Email: [email]PLBlum@PeterBlum.com[/email]
Creator of "Professional Validation And More" at
[url]http://www.peterblum.com/vam/home.aspx[/url]

"Neil" <Neil@discussions.microsoft.com> wrote in message
news:CC58FDCF-EB5C-4F91-89AA-9317B8CE0DFE@microsoft.com...

> Hi,
>
> I have been investigating CSS vulnerabilites within my application and
> have
> a question. If I added malicious script tags to the Url these are
> automatically removed from all pages of my application and the user is
> redirected to my custom error page. This is all taken care of by the .Net
> Runtime and works as expected. However if after being redirected to the
> custom error page I append script to the query string this is not removed
> and
> I'm presented with the default page telling me to create a custom error
> page,
> I guess you can't have a custom error page for a custom error page... My
> question is should I be concerned about this? Should the script tags not
> be
> removed?
>
> Thanks