Episerver with Webapi and Reflected Cross site scripting (XSS)

Asim Saeed

Vote:

When using episerver with WebApi - it enable api controller for Reflected Cross site scripting (XSS) vulnerability.

When access resource via '/api/mycontroller/? <script>alert('hi');</script> '

result in

No HTTP resource was found that matches the request URI 'http://localhost:8888/api/mycontroller/?"> <script>alert("hi");""></script> '.

No action was found on the controller 'GoldStandardTwitterFeed' that matches the request.

Reflected Cross site scripting (XSS) vulnerability. in response.

Note that the script tags are in the xml\JSON source.

If I drop the question mark, /api/mycontroller/. I'm getting correct HttpException.

"A potentially dangerous Request.Path value was detected from the client (<)."></).">

Doesn it due to default Episerver routes configuration, is any way to prevent this? It's only happen when using webapi with Episerver

Default Route

Routes.MapHttpRoute(
    "DefaultApi", 
    "api/{controller}/{id}", 
     new { id = RouteParameter.Optional 
});

Controller

public class DefaultAPIController : ApiController
{
	
	public IEnumerable Get()
	{
		return new string[] { "value1", "value2" };
	}

}

[Pasting files is not allowed]

#178744

Edited, May 19, 2017 17:13

Vote:

"A potentially dangerous Request.Path" I think is from ASP.NET not from Epi.

Who consumes the API? You could add for example bearer token authentication or reqeust forgery protection or just filter input by some AntiXSS function.

#178913

May 26, 2017 9:21

Asim Saeed

Vote:

Thanks Johan, It has been resolve. It's puplic page so can't used Bearer Token . Issue was default respose on 404 which include un decoded query string due to generic api route settings '

api/{controller}/{id}"

We have encoded the respose and clear the respose.

#178919

May 26, 2017 10:19

Try our conversational search powered by Generative AI!

Episerver with Webapi and Reflected Cross site scripting (XSS)