We recently scanned our web application using the Tenable web app scanning tool, and that tool detected a medium vulnerability called HTTP Parameter Pollution
That vulnerability detected a specific section within our web application, the Captcha.aspx
We don't use that component explicitly. The Captcha.aspx is a third party tool provided by Google. The only section where we mention the Captcha.aspx is the Web.config
Also we have this code in the Captcha control
protected override void Render(System.Web.UI.HtmlTextWriter writer)
{
writer.Write("<Div><Table>");
writer.Write("<tr><td><img src=\"CaptchaImage.aspx?guid=" + _captcha.UniqueID + "\"></td></tr>");
writer.Write("<tr><td><input style='width: 120px;' name=\"" + this.UniqueID + "\" type=text></td></tr>");
writer.Write("</Table></Div>");
}
Can some one please suggest on how to mitigate that vulnerability
Here is what worked for me
protected override void Render(System.Web.UI.HtmlTextWriter writer)
{
if (IsValidCaptcha(_captcha.UniqueID))
{
writer.Write("<Div><Table>");
writer.Write("<tr><td><img src=\"CaptchaImage.aspx?guid=" + _captcha.UniqueID + "\"></td></tr>");
writer.Write("<tr><td><input style='width: 120px;' name=\"" + this.UniqueID + "\" type=text></td></tr>");
writer.Write("</Table></Div>");
}
}
private bool IsValidCaptcha(string captchaValue)
{
// Implement your validation logic (length, format, etc.)
return !string.IsNullOrEmpty(captchaValue) && captchaValue.Length <= 50;
}