Best IT Recipes

Data URI and the potentially dangerous Request.Path value

I tried using a data URI with this CSS property:

background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAA9JREFUeNpiYGBg8AUIMAAAUgBOUWVeTwAAAABJRU5ErkJggg==");

And locally it works great. However, when I debug the file, chrome is missing. If I try to go to it, I get: a potentially dangerous Request.Path value was detected on the client (:).

Thus, it is obvious that my application considers the URIs for this image to be suspicious.

How can I show it? I tried to mitigate the validation using:

 <httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" /> <pages validateRequest="false"></pages>

Ideally, I would not want to loosen the rules too much, just enough to load these images with data URIs.

+3
security asp.net-mvc-3 data-uri
Apr 16 '13 at 16:50
source share
1 answer

I would promise that the application considers the request suspicious due to Base-64 encoded URIs. Base-64 malicious URL encoding is a common attacker strategy that allows you to obtain URLs through front-end filters that share and / or remove URLs and also hide the request from people reading the code. XSS attacks are usually performed by retrieving one of these URIs that are stored in a database and served by other users.

Due to the high risks of XSS these days, I am embarrassed to turn off the check. If you can, just use an uncoded URI. If you cannot, you should ask yourself why. If you are trying to increase security by confusing URIs, be aware that this is very trivial for an attacker to decode. This is not any form of encryption, just another way of representing data.

+1
Apr 16 '13 at 17:47
source share


More articles:


All Articles