OWASP O2 Platform Blog

Consuming ASP.NET Control Encoding mappings and visualizing them – Part 1

Trying to find out the exact behaviour of the default ASP.NET Controls enconding behaviour is not simple, and surprisingly there are no good sources out there that clearly show what happens.

The best I could find is the table from Sasha Faust Which ASP.NET Controls Automatically Encodes?  blog post . Look in the attached asp.net_control_encoding.htm file, which looks like this:

The problem with that file is that is it not in a consumable format (it is in an html table).

So the first thing we need to do is to extract this data into a serializable .NET C# class which can be further analyzed.

To do that I wrote this script Util – AspNet ControlEncodings (Raw Format).h2 which looks like this when executed:

What is nice from that table is that due to the color coding and small change on the PropertyName value, we can now see:

all mappings that do no Encoding:

the mappings that have at least one of Encodings Enabled (either HtmlEncode or HtmlEncode):

the mappings that have both encodings enabled:

the mappings that don’t have a AttributeName defined:

Data stored in XML

These views are created from a serialized xml object (on AspNetControlEncodings.cs) which is stored in serialized format as an XML file:

Source Code

Here is the source code of this script:

//var topPanel = panel.clear().add_Panel();
var topPanel = O2Gui.open<Panel>("Util - AspNet ControlEncodings (Raw Format)",700,400);

var mappedData  = "AspNetControlEncodings_Raw.xml".local().load<AspNetControlEncodings_Raw>();
var tableList = topPanel.add_TableList()
                        .show(mappedData);
tableList.add_Column("vuln");   
                   
tableList.visible(false);                       
foreach(var row in tableList.rows())
{
    var values = row.values();
    if (values[2] == "na")
        row.textColor(Color.Black); 
    else if (values[3].toBool() && values[4].toBool())
        row.textColor(Color.DarkGreen);
    else if (values[3].toBool() || values[4].toBool())
        row.textColor(Color.DarkOrange);
    else
    {
        row.textColor(Color.Red);                       
        row.SubItems[1].Text = "* " + values[1];    
    }
}
tableList.visible(true);
return "ok";

//O2File:AspNetControlEncodings.cs

How the AspNetControlEncodings_Raw.xml file was created

To see how this script was created and how the original html table was transformed into the xml file, see this blog post: Creating the “Util – AspNet Control Encodings (Raw Format).h2″ script

November 16, 2011 - Posted by | .NET, ASP.NET Controls

1 Comment »

  1. […] is the script’s sequence that created the script described in Consuming ASP.NET Control Encoding mappings and visualizing them – Part 1 which transforms the html based ASP.NET control encodings into an serializable C# […]

    Pingback by Creating the “Util – AspNet Control Encodings (Raw Format).h2″ script « OWASP O2 Platform Blog | November 16, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: