.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
 
Sign In
Register
 
Win Surprise Gifts!!!
Congratulations!!!


Top 5 Contributors of the Month
david stephan

Home >> Articles >> ASP.NET >> Post New Resource Bookmark and Share   

 Subscribe to Articles

CounterMeasures for Cross-Site Scripting(XSS) attacks in ASP.net

Posted By:Sunil Yadav       Posted Date: May 21, 2010    Points: 25    Category: ASP.NET    URL: http://www.dotnetspark.com  

In this article i am going to explain how we can prevent our application from XSS attack.
 

Introduction
The Cross-site scripting (XSS) attack is quite popular these days. This attack is mainly used to steal user data like cookies, viewstate etc.
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
A simple example of XSS attack is shown below which display alert message.

    http://testsite.com/default.aspx?id=2&"< Script>alert ('Hello Sunilee');"

XSS attack result can lead to following.

    1. Data integrity can be compromised.
    2. Cookies can be set and read.
    3. User input can be intercepted.
    4. Malicious scripts can be executed by the client in the context of the trusted source.

Countermeasures

1. Using secure code

Encode HTML Output

Use the HttpUtility.HtmlEncode method to encode output if it contains input from the user or from other sources such as databases. HtmlEncode replaces characters that have special meaning in HTML-to-HTML variables that represent those characters. For example, < is replaced with < and " is replaced with ". Encoded data does not cause the browser to execute code. Instead, the data is rendered as harmless HTML.Consider following example.

   
Private void Page_Load(Object Src, EventArgs e)
    {
    HttpUtility.HtmlEncode(""));
    }

    The output of above code will be <html>

Encode URL Output
If you return URL strings that contain input to the client, use the HttpUtility.UrlEncode method to encode these URL strings as shown in the following code example.

 
  string urlString = "http://sunilyadav.net/id=1&"< script lang='javascript' />";
    Response.Write(HttpUtility.UrlEncode(urlString));


    //Output
    http%3a%2f%2fsunilyadav.net%2fid%3d1%26'%3cscript+lang%3d'javascript'%2f%3e

Use the innerText Property Instead of innerHTML
If you use the innerHTML property to build a page and the HTML is based on potentially untrusted input, you must use HtmlEncode to make it safe. To avoid having to remember to do this, use innerText instead. The innerText property renders content safe and ensures that scripts are not executed.

2. Using Microsoft Cross Site Scripting Libraries

Check weather request validation(ValidateRequest="true") properly is enabled on asp.net page or not. By default this property is enabled and when you try to inject html injection it will give error page displaying error as "A potentially dangerous Request.QueryString value was detected from the client" .
You can set this property in web.config as shown below.

  
 < system.web>
    < pages buffer="true" ValidateRequest="true" />
    < /system.web>

Also request validation property can also be set at page level as..

< %@ Page Language="C#" ValidateRequest="true" %>


Use the frame Security Attribute
Internet Explorer 6 and later support a new security attribute for the and