0

I am working with some legacy web apps, created with ASP.NET Webforms, that are being scanned by using Trustwave. We are using .NET Framework 4.6.

The scan report is showing that we have an output encoding issue, here are some details:

Types of encoding detected:
URL encoding

Unencoded injection string: **CENZIC123 !"#$%&'()*+,-./:;<=>?@[]^_`{|}~\CENZIC456**

Characters that were not encoded in the detection string: !()*-._~
Characters that should have been encoded for URL encoding: ****!()~****

Injection URI: https://mywebsite/Authentication/Login.aspx?CENZIC123%20!%22%23%24%25%26'()*%2B%2C-.%2F%3A%3B%3C%3D%3E%3F%40%5B%5D%5E_%60%7B%7C%7D~%5CCENZIC456

I have tried to fix this by changing the default HTTP encoder to the AntiXss Encoder in the HTTP runtime node inside my Web.Config, as Microsoft documentation suggest. But I still having that issue reported in the scans.

What should I do to fix this?

Thanks.

https://learn.microsoft.com/en-us/dotnet/api/system.web.security.antixss.antixssencoder?view=netframework-4.8

Improve this question

1 Answer 1

Reset to default
1

I've met issue which is somehow similar to yours. The gateway blocked requests that has ' in querystring. This is not quite related to your sites settings, its reported by security scanner.

Our solution is encoding the querystring to Base64 and the gateway no more block requets. On client side, you can use btoa(encodeURIComponent(...)) to encode that string to base64 encoding. On server side, Convert.FromBase64String(HttpUtility.UrlDecode(base64String)) will convert it back.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.