Reputation: 841
ASP.NET MVC web app request does not have origin in request header and identified as Security Vulnerability by WebInpect tool
The Web Inspect tool identified security vulnerability on ASP.NET MVC web app on some paths shown here:
/Content/
/Content/themes/base/images/
/Content/themes/
/Content/Images/
/profiler/results
/Account/Login
/Error/LogJavaScriptError/
/Content/themes/base/
/Content/Profile/
The app is an ASP.NET MVC web app, and accessed by Chrome browser and it will not have origin in request header. The path above seems to resources which is referred in the ASP.NET MVC web form and it will not have origin but web inspect tool expect it.
Please find the code added to chek Origin exist
public class OriginValidationMiddleware : OwinMiddleware
{
public OriginValidationMiddleware(OwinMiddleware next)
: base(next)
{
}
public override async Task Invoke(IOwinContext context)
{
// Retrieve the Origin header from the request
var origin = context.Request.Headers.Get("Origin");
// Extract the request URL
var requestUrl = context.Request.Uri;
var requestHost = requestUrl.GetLeftPart(UriPartial.Authority);
// Validate the Origin header
if (origin == null || !origin.Equals(requestHost, StringComparison.OrdinalIgnoreCase))
{
// If the origin is not allowed, return a forbidden status
context.Response.StatusCode = 403;
context.Response.ReasonPhrase = "Forbidden: Invalid Origin";
return;
}
// Call the next middleware in the pipeline
await Next.Invoke(context);
}
}
The MVC Web request for all page from chrome browser does not have origin in the header, so all the request get blocked.
If I want to add origin, it can be done for all request to ASP.NET MVC.
finall the begining of the request, middleware will add origin and again check irgin does not make sense.
should I find where the above path is referred and add the origin over there or add it in begining of the request basedon the path.
Please advise what I could do in thi context.
Upvotes: 0
Views: 56
Answers (0)
Related Questions
- Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
- MVC web api: No 'Access-Control-Allow-Origin' header is present on the requested resource
- Set cookies for cross origin requests
- jQuery Ajax calls and the Html.AntiForgeryToken()
- Access-Control-Allow-Origin appearing twice on header request ASP.NET Web API
- ASP.NET MVC Html.ValidationSummary(true) does not display model errors
- How to make an Authorized HttpWebRequest to an ASP.NET MVC web app
- How can I request local pages in the background of an ASP.NET MVC app?