[Webinar] Learn how to a build a cloud-first strategyRegister Now


How to prevent XSS attack for asp.net application?

Posted on 2008-11-14
Medium Priority
Last Modified: 2012-06-27
How to prevent XSS attack for asp.net application?  I cannot changed the existing applicaiton, what I can do is only to add some codes to it.

There are some programs that can clean the HTML. But how can I tell which script is "good" tags in the application and which one is "bad" tags which comes from attackers.

For example <scrip>Document.wirte("...")</script>  may be "good" script which is needed in the application. It may also be "bad" script that comes from attackers.
Question by:treehouse2008
  • 3
  • 2
  • 2

Accepted Solution

alexpercsi earned 1500 total points
ID: 22963293
XSS attacks will try to post malicious code in either your querystrings or posted forms in hopes that it will eventually end up in the user's final HTML.

If the code is already in your HTML it is either from the database or you have a virus on your server/development environment.

For the former, asp.net has some pretty good native protections against XSS. If you want to add to that however, you can implement a sanitizing method in your global.asax in the Application_BeginRequest method.

Here you can simply replace the < and > characters with < and >. It should be enough to protect you from XSS. For SQL injection it may be a bit more tricky. I think this article may help you with that:


Let me know if you need further information.

Best Regards,
Alex Percsi.

Author Comment

ID: 22963677
Thanks a lot.
One question: what if '<' and.or  '>' is what the application needs or permits. For example, in a search condition, it is permitted to input:   " a>15 and a <30".

Author Comment

ID: 22963772
Another question: In Application_BeginRequest, how can I detect which scripts are querystrings or user input in posted forms?  Could you please give me some example codes. Thanks.
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.


Expert Comment

ID: 22966294
For your first question, I would have a javascript take the contents of the textboxes that might allow such input just before form submission and encode those characters with something that cannot be confused. For example, replace '<' with '#charLessThan' and '>' with '#charGreaterThan'.

Then you can replace any '<' and '>' characters because the ones you need have been encoded.

Finally, on the server side, before sending your query to the database, restore the original characters by replacing '#charLessThan' and '#charGreaterThan'.

For your second question, you can assume that the site users will not be posting these characters in the QueryString. The form is a bit more tricky, especially if you have textboxes in which you want to allow them to post html code. You might want to simply disallow posting of <script and <object tags altogether because there is no foolproof way of determining if their contents are malicious.
LVL 12

Expert Comment

ID: 22966601
The key thing to understand is that XSS results from improper sanitisation of USER SUPPLIED input which is then displayed on a webpage.

For example, many websites have a search box where the user can enter text to search for.  When the results page is shown the search term may be echoed back to them "You searched for blahblah" or "Sorry, No results matched blahblah".

Here, if the search term entered by the user is not properly sanitised then XSS may result when input is displayed on the results page.

So what you need to do is to find all places in your application where user input is accepted and validate that input and then find all places where user input is displayed as part of a web page and make it safe for displaying.

Remember that user input can come from the query string in the url and any form data - even hidden form fields may be manipulated by the user.  Using javascript to validate form fields should NOT be relied upon to sanitise user input.  Javascript runs on the client-side (in the browser) and can be turned off.  Javascript can be used to validate form fields to make the user experience better (i.e. not having to reload the page in order to tell them they entered something incorrectly), but that input should still be treated like any other untrusted data when it gets to the server.

Some links:
How To: Prevent Cross-Site Scripting in ASP.NET - http://msdn.microsoft.com/en-us/library/ms998274.aspx
Microsoft Anti-Cross Site Scripting Library - http://msdn.microsoft.com/en-us/library/aa973813.aspx (this is a good document which walks you through an example of dealing with XSS)

and do read the link that alexpercsi posted on preventing SQL injection too.

Hope this helps some.  You've got work to do!


Author Closing Comment

ID: 31516932
LVL 12

Expert Comment

ID: 22985482
Have I misunderstood your question?  I thought you were trying to prevent XSS in an ASP.NET application - is this not the case?

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
Suggested Courses

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question