Bypassing Cross-Site Scripting Using A Proxy

by Jon Davis 13. December 2007 09:46

When I implemented Sprinkle, which is a client-side includes (CSI) system I came up with that doesn't use IFRAMEs, I kept running into the scenario where you may want to fetch HTML from an external web site besides your own. This is sort of what Web 2.0 is all about, being able to mashup the world with not just your crap but everyone else's crap as well.

I threw together a trivial solution. This is ASP.NET-only, I might come up with a PHP-based equivalent. The idea is to implement a really trivial proxy server and cache the data for a period of time. In this particular implementation, I cache it directly into the web Application's in-memory collection.

Here's what using it might look like ..

        <%-- Client-side includes with server-side cross-site proxying --%>
        <script type="text/javascript" src=""></script>
        <div src="proxy.aspx?url=" />
        <%-- Server-side includes with cross-site proxying--%>
        <ssi:ProxyControl runat="server" ID="GoogleInsertion"
            BaseUrl="proxy.aspx?url=" />

In the server-side include implementation, the DetectImposeBase and BaseUrl properties are really just hacks where I force-inject the proxy URL to any src and href element attributes.

If you try to use the above-referenced proxy.aspx file from an external web site, it should fail. The referer header can only be on the same host.

If you try to reference a very large binary file or something, it will fail. Maximum file size is enforced, so as to not overload the Application in-memory collection that hosts the proxy cache.

This implementation doesn't work flawlessly and it's sort of a prototype thing, it only took about an hour to hack together (plus some time I spent struggling with Visual Studio puking on me), but anyway, here it is.


kick it on

Add comment

(Will show your Gravatar icon)  

  Country flag

  • Comment
  • Preview


Powered by BlogEngine.NET
Theme by Mads Kristensen

About the author

Jon Davis (aka "stimpy77") has been a programmer, developer, and consultant for web and Windows software solutions professionally since 1997, with experience ranging from OS and hardware support to DHTML programming to IIS/ASP web apps to Java network programming to Visual Basic applications to C# desktop apps.
Software in all forms is also his sole hobby, whether playing PC games or tinkering with programming them. "I was playing Defender on the Commodore 64," he reminisces, "when I decided at the age of 12 or so that I want to be a computer programmer when I grow up."

Jon was previously employed as a senior .NET developer at a very well-known Internet services company whom you're more likely than not to have directly done business with. However, this blog and all of have no affiliation with, and are not representative of, his former employer in any way.

Contact Me 

Tag cloud


<<  May 2021  >>

View posts in large calendar