I am using Struts 1.1 version. Fortify scan tools reports the possibility of XSS attacks in Form parameters. Do the Struts tags prevents the xss attack by default
Struts 1.X version came to EOL. If you are in initial stage it's time to switch Struts2. Yes Struts 1.1 has some chance of XSS Vulnerability. Check this site for more information. To prevent XSS (Cross-site scripting) atleast you need upgrade to Struts 1.2.8. You can configure your Servlet Container to use a Custom Error Page for 404 / Not Found errors. Like this,
<struts-config>
<action-mappings>
<action path="/unknown" forward="/CustomNotFoundError.jsp"
unknown="true" />
</action-mappings>
</struts-config>
Hope this helps.
Related
I am getting this error when I click on ASP Button. Error: A potentially dangerous Request.Form value was detected from the client
I have read few question of stack over flow. The point here is the button is working fine when I live the website to our client server. But it is not working if I configure in my local IIS server.
Do I need to change any settings in my local IIS server?
Please suggest.
By default, the application is prevented from processing unencoded HTML content submitted to the server.
If you set the the RequestValidationMode to 2.0 in your web.config, it will solve your issue.
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
If you want to make the smallest change possible, you could define the requestValidationMode inside a location element to have it applied to a specific page (ex: Login page)
<location path="Login.aspx">
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
</location>
Remarks (From MSDN)
The RequestValidationMode property specifies which ASP.NET approach to validation will be used. This can be the algorithm that is used in versions of ASP.NET earlier than version 4, or the version that is used in .NET Framework 4. The property can be set to the following values:
4.5 (the default). In this mode, values are lazily loaded, that is, they are not read until they are requested.
4.0 The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any HTTP request data is accessed. This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request. The request validation settings of the element (if any) in the configuration file or of the directive in an individual page are ignored.
2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the element (if any) in the configuration file or of the directive in an individual page are used to determine which page requests to validate.
I am trying to prevent unauthorized access to all files within some of my media libraries in Kentico v9.0. I intend to only provide access to certain libraries via Kentico Role membership and global admins only.
I have followed the guide published here: Securing media libraries and it seems to work fine: Direct URL path access results in a 401.2 - Unauthorized message, regardless of user authentication state and role membership. And I have a media gallery web part set up correctly to provide the permanent URLs, which also work as I expect them to.
However, I have another requirement; which is to serve up a ~/googlesitemap.xml file. I followed the guide published here: Google Sitemaps, which instructs me to provide an attribute to the system.webServer/modules node in the web.config:
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
However, when I add the above, then any authenticated user can gain access to my media library files if they enter in the full URL. This violates my attempts at media library access based on role membership; since I dont want users in other roles to be able to get at the files.
I have tried to exclude all media library files from the re-writing engine by adding my media folder root as an Excluded URL in Settings > URLs and SEO > URL Format > Excluded URLs... but this doesn't appear to help.
Any suggestions would be highly welcome!
As far as I know runAllManagedModulesForAllRequests attribute is mandatory only for different extensions (different from .aspx). If you are using IIS 7 or above you can omit this attribute in your web.config (see source).
Note: In ASP.NET websites, the value of runAllManagedModulesForAllRequests previously had to be set to true to support routing. However, once IIS 7 has been updated with a Service Pack, the value of runAllManagedModulesForAllRequests can be set to false or omitted when working with ASP.NET routing. For more information, see ASP.NET Routing on the MSDN website.
So quick fix: Do not add this attribute to web.config and your media gallery (permissions) should work as you wish.
EDIT: So I think I have got solution for you. It seems that runAllmanagedModulesForAllRequests attribute kills Anonymous Authentication setting so Kentico serves data after successful authentication. I`ve found workaround so you can forbid access to media library. Try to add something like:
<location path="MySite/media/MyMediaLibrary">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
into your web.config inside configuration section.
I'm currently having trouble with the W3C markup validation service https://validator.w3.org and the use of HTTPS. When I type in there the website address with https I get the following response:
Sorry! This document cannot be checked.
Together with an error 500 saying that it can't connect to the site. Also, on the website page I have one link which carries the person into the validation and shows the site has been validated. When clicking the link without HTTPS everything works, but with HTTPS I get one message
Sorry! This document cannot be checked. No Referer header found!
which I believe is because the secure connection doesn't send the referer header right?
Now, how can I use HTTPS and avoid these problems with the validation?
Please always directly use https://validator.w3.org/nu/ (the current W3C HTML Checker) instead of https://validator.w3.org/ (the legacy W3C Markup Validator).
The HTML Checker is able to check documents at https URLS just fine. So If you find a https site that it doesn’t work with as expected, then that’s likely a bug I need to fix. (I maintain the checker, and recently updated it to get HTTPS support using HTTP Components HttpClient 4.4 —the latest Apache HTTP client library—including full support for HTTPS sites that use SNI.
A note about which W3C tool to use for checking HTML documents
On the W3C backend, when you use the https://validator.w3.org/ legacy Markup Validator to check documents with <!DOCTYPE html> doctypes, it just hands off the request to the same backend that directly drives the https://validator.w3.org/nu/ HTML Checker. But the HTML Checker has a UI with more features, and using it from https://validator.w3.org/nu/ is faster.
We (the W3C) plan to swap those two around eventually—that is, move the current HTML Checker to https://validator.w3.org/ and move the legacy Markup Validator to https://validator.w3.org/legacy/ or some such—but it will be a while yet before that happens. So in the mean time, as I said, I suggest always just doing all your HTML checking from the https://validator.w3.org/nu/ site.
There seems to be a bug in the W3C NU validator, so the "referer" value is not processed fully. :-/
I.e. the code for their badge <a target="_blank" href="http://validator.w3.org/check/referer"><img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0 Transitional" title="Valid XHTML 1.0 Transitional" style="height: 31px; width: 88px;" /></a>
does not validate my nested sub-page, but just the root-page of the whole web-site instead, on click on the badge, in a footer of the deep sub-page. Sad. :-/
And the same for the alternative parameterized .../check?uri=referer" URL, still the same issue. :-/
I have installed an MVC4 application provided by a third party on our web server and most requests are being redirected to http://domain.com/login.aspx?ReturnUrl=requestedpage.
The website does not have any form of authentication and it does not have this or any other login page.
The default page loads but none of the page resources (like images, CSS, etc) loads as each of those is being redirected to the non-existent login.aspx page. Even a webservice request gets redirected.
I have done lots of searching online and tried the usual fix of <add key="autoFormsAuthentication" value="false" /> but it doesn't make any difference. I also tried <authentication mode="None" />.
It is IIS8.5 on Server 2012 and anonymous access is enabled throughout.
I just tried installing MVC4 directly on the server and this did not help.
Can anyone help?
This problem turned out to be caused by the anonymous user account not being set to the ApplicationPoolIdentity.
I fixed this after finding the answer on another question.
I have an MVC4 project with the template Intranet Application. Glimpse is working on the MVC4 Routes but not on web api routes (the footer vanishes).
I'm thinking of creating an action in a MVCController which takes a request as parameters to instanciate the right WebApiController and calls the right action with the parameters.
Is there a better alternative ?
I tried to use this (found here) but it doesn't work :
<inspectors>
<ignoredTypes>
<add type="Glimpse.AspNet.Inspector.RoutesInspector, Glimpse.AspNet"/>
</ignoredTypes>
</inspectors>
</glimpse>
The issue you mention is related to Glimpse making changes to the Routes configuration which broke the WebApi Help Pages, fortunately that issue has been solved in the meanwhile.
Based on your question, I assume that you want to see Glimpse diagnostics for WebApi related calls? Unfortunately Glimpse v1.8.4 does not support WebApi requests.
The good news is that support for WebApi is being added as we speak. You can check the pull request to see how it's going and when it's expected to be released.