How to prevent XSS attack for application?

How to prevent XSS attack for application?  I cannot changed the existing applicaiton, what I can do is only to add some codes to it.

There are some programs that can clean the HTML. But how can I tell which script is "good" tags in the application and which one is "bad" tags which comes from attackers.

For example <scrip>Document.wirte("...")</script>  may be "good" script which is needed in the application. It may also be "bad" script that comes from attackers.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

XSS attacks will try to post malicious code in either your querystrings or posted forms in hopes that it will eventually end up in the user's final HTML.

If the code is already in your HTML it is either from the database or you have a virus on your server/development environment.

For the former, has some pretty good native protections against XSS. If you want to add to that however, you can implement a sanitizing method in your global.asax in the Application_BeginRequest method.

Here you can simply replace the < and > characters with < and >. It should be enough to protect you from XSS. For SQL injection it may be a bit more tricky. I think this article may help you with that:

Let me know if you need further information.

Best Regards,
Alex Percsi.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
treehouse2008Author Commented:
Thanks a lot.
One question: what if '<' and.or  '>' is what the application needs or permits. For example, in a search condition, it is permitted to input:   " a>15 and a <30".
treehouse2008Author Commented:
Another question: In Application_BeginRequest, how can I detect which scripts are querystrings or user input in posted forms?  Could you please give me some example codes. Thanks.
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

For your first question, I would have a javascript take the contents of the textboxes that might allow such input just before form submission and encode those characters with something that cannot be confused. For example, replace '<' with '#charLessThan' and '>' with '#charGreaterThan'.

Then you can replace any '<' and '>' characters because the ones you need have been encoded.

Finally, on the server side, before sending your query to the database, restore the original characters by replacing '#charLessThan' and '#charGreaterThan'.

For your second question, you can assume that the site users will not be posting these characters in the QueryString. The form is a bit more tricky, especially if you have textboxes in which you want to allow them to post html code. You might want to simply disallow posting of <script and <object tags altogether because there is no foolproof way of determining if their contents are malicious.
The key thing to understand is that XSS results from improper sanitisation of USER SUPPLIED input which is then displayed on a webpage.

For example, many websites have a search box where the user can enter text to search for.  When the results page is shown the search term may be echoed back to them "You searched for blahblah" or "Sorry, No results matched blahblah".

Here, if the search term entered by the user is not properly sanitised then XSS may result when input is displayed on the results page.

So what you need to do is to find all places in your application where user input is accepted and validate that input and then find all places where user input is displayed as part of a web page and make it safe for displaying.

Remember that user input can come from the query string in the url and any form data - even hidden form fields may be manipulated by the user.  Using javascript to validate form fields should NOT be relied upon to sanitise user input.  Javascript runs on the client-side (in the browser) and can be turned off.  Javascript can be used to validate form fields to make the user experience better (i.e. not having to reload the page in order to tell them they entered something incorrectly), but that input should still be treated like any other untrusted data when it gets to the server.

Some links:
How To: Prevent Cross-Site Scripting in ASP.NET -
Microsoft Anti-Cross Site Scripting Library - (this is a good document which walks you through an example of dealing with XSS)

and do read the link that alexpercsi posted on preventing SQL injection too.

Hope this helps some.  You've got work to do!

treehouse2008Author Commented:
Have I misunderstood your question?  I thought you were trying to prevent XSS in an ASP.NET application - is this not the case?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.