#StackBounty: #javascript #asp.net #security #code-injection Why injecting javascript code is a bad idea

Bounty: 50

I have a web project which is developed by asp.net

In my web project, i have a page called as (MainPage). In MainPage according to query string, the last user can see a survey edit form (www.a.com?entity=survey@op=edit) or a parameter insertion form (www.a.com?entity=parameter&op=add) or etc….

The query string examples above are just examples since i encrypt them and actually the last user see some complex words on url

ex: www.a.com?saşlfas571=sflkmlm11sd&13kjn13=1378183

Moreover, in MainPage i m loading a javascript called as MainPageJs and it shows correct js codes according to query string.

I m loading MainPageJs in MainPage.cshtml

@section scripts{

http://@CustomUrl.CustomAction(

}

The below code shows that how MainPageJs works

 ....
 string res = "";
 if (queryString == "parameter")
 {
       res = "var a = 1;";
 }
 if (queryString == "survey")
 {
      res = "var a = 2;";
 }
 if (queryString == "user")
 {
      res = "var a = 3;";
 }

 return JavaScript(res.ToString()); 

Now the thing I wonder is that,

  1. Does my code style have any security problems?
  2. Does my web page have any security vulnerability?
  3. Does this style have a JavaScript code injection vulnerability?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.