אליק לוין

עולמו של יועץ ממיקרוסופט

XSS? - Do not Make Me Laugh, We Use WinForms

I find myself sometimes (actually too many times...) in ridiculous situation explaining people of impact of Cross Site Scripting (attack) attacks as a result of importer encoding of user input (vulnerability) and how to counter this attack properly. After all parties understand this  everybody feels great relief since "our app is not web app - we use WinForms". Great!! The threat is mitigated by removing the feature of rendering HTML output...

"Hold it, you told me that your system presents to end user different types of documents, right?"

"Right, so?"

"Do you show HTML docs too?"

"Sure!"

"Great, and what do you use for it?"

"WebBrowser control, of course"

"I get it... So if you get HTML doc, it might include some script like this one:

<script>alert("HACKED!!")</script>

 that can render as follows, right?"

"... right..."

How one prevent scripts running inside the WebBrowser control?

I did not find an easy way to control it other than using PINVOKE described here -  http://msdn.microsoft.com/workshop/browser/hosting/wbcustomization.asp?frame=true Here is another post on that one - http://slingkid.blogsome.com/2006/05/26/ (that actually points back to the above link but has good interop example) and another discussion here -  http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=66493&SiteID=1

Cheers

פורסם: Jan 04 2007, 11:34 PM by alikl | with 6 comment(s)
תגים:,

תוכן התגובה

Oren Eini כתב/ה:

I can point you in the right direction, RSS Bandit is an OSS reader that has settings for this, you can check how those are applied.
# January 6, 2007 11:32 AM

alikl כתב/ה:

Oren, thanks for your comment.

I am not sure how RSS bandit can help me preventing scripts from running when i host WebBrowser Control that ships with Net Fx 2 on my WinForm

What I missed here?

BTW, You got very nice blog :)

# January 6, 2007 2:14 PM

Oren Eini כתב/ה:

I meant that RSS Bandit has solved the problem of allowing/disabling Javascript, etc. Here is the relevant code: http://rssbandit.cvs.sourceforge.net/rssbandit/CurrentWork/Source/ChildProjects/IEControl/HtmlControl.cs?view=markup Check lines 464 onward.
# January 7, 2007 9:01 PM

alikl כתב/ה:

Oren!, Excelent pointer!!

They use DLCTL_NO_SCRIPTS in http://rssbandit.cvs.sourceforge.net/rssbandit/CurrentWork/Source/ChildProjects/IEControl/Interop/DocHostUIHandler.cs?revision=1.6&view=markup the one that was pointed in the original post, check this out here http://msdn.microsoft.com/workshop/browser/hosting/wbcustomization.asp?frame=true

Excelent investigation, thanks!!

I am sure this should be implemented in the managed version of WebBrowser control

Cheers

# January 8, 2007 3:08 PM

alik levin's כתב/ה:

http://www.gnucitizen.org/blog/what-happens-to-your-computer-if-you-mispell-googlecom Still hesitating

# January 22, 2007 8:48 AM

alik levin's כתב/ה:

Reposted from XSS? - Do not Make Me Laugh, We Use WinForms I find myself sometimes (actually too many

# March 25, 2007 11:18 PM