Global solution for ResolveUrl XSS issue

Question

We recently has a security scan done, and it turns out our application is susceptible to XSS via the ResolveUrl cookieless state problem described here.

Now I am looking for a way to properly fix the issue in a global way for our application. Not using ResolveUrl is not really an option, because we literally use it in over a 1000 places. I find it strange that there is no way in ASP.NET (that I know of) to disable the cookieless state url parsing altogether, since we are not using cookieless state.

I've tried to implement a check in the BeginRequest, to drop requests that have a path segment in the url that starts with (.( (. begin any character). This would work, because not actual url in our application has a path segment that starts with this. However, the problem is, that the url we can read from the request doesn't have this path segment anymore. It seems to be filtered out by the runtime before the execution of our code starts.

What other options do I have?

Answer 1

Eventually I went with a rule using the UrlRewrite module, to simply block all requests using the same regex as in my original question. This module runs before .net removes the cookieless session id from the request url, so I can block the request

Answer 2

Here is the regex pattern we are using in a UrlRewrite rule

.*/\([a-zA-Z]\(.*

With an action type of Abort Request, this matches and blocks URLs described in the article such as

• (A(XXXXXXXXXXX))
• (S(XXXXXXXXXXX))
• (F(XXXXXXXXXXX))

Answer 3

I had the same problem and I resolved by adding this rewrite rule in web.config:

<rewrite>
    <rules>
        <rule name="Avoid javascript execution in url (XSS)" stopProcessing="true">
            <match url="\([a-zA-Z]\(.*" />
            <action type="AbortRequest" />
        </rule>
    </rules>
</rewrite>

This way you abort requests with an url like: https://somewebsite.xss/(A(%22onerror=%22alert%60TEST%20XXS%60%22))/page.aspx