How to prevent XSS attack for application?

Posted on 2008-11-14
Last Modified: 2012-06-27
How to prevent XSS attack for application?  I cannot changed the existing applicaiton, what I can do is only to add some codes to it.

There are some programs that can clean the HTML. But how can I tell which script is "good" tags in the application and which one is "bad" tags which comes from attackers.

For example <scrip>Document.wirte("...")</script>  may be "good" script which is needed in the application. It may also be "bad" script that comes from attackers.
Question by:treehouse2008
    LVL 7

    Accepted Solution

    XSS attacks will try to post malicious code in either your querystrings or posted forms in hopes that it will eventually end up in the user's final HTML.

    If the code is already in your HTML it is either from the database or you have a virus on your server/development environment.

    For the former, has some pretty good native protections against XSS. If you want to add to that however, you can implement a sanitizing method in your global.asax in the Application_BeginRequest method.

    Here you can simply replace the < and > characters with < and >. It should be enough to protect you from XSS. For SQL injection it may be a bit more tricky. I think this article may help you with that:

    Let me know if you need further information.

    Best Regards,
    Alex Percsi.

    Author Comment

    Thanks a lot.
    One question: what if '<' and.or  '>' is what the application needs or permits. For example, in a search condition, it is permitted to input:   " a>15 and a <30".

    Author Comment

    Another question: In Application_BeginRequest, how can I detect which scripts are querystrings or user input in posted forms?  Could you please give me some example codes. Thanks.
    LVL 7

    Expert Comment

    For your first question, I would have a javascript take the contents of the textboxes that might allow such input just before form submission and encode those characters with something that cannot be confused. For example, replace '<' with '#charLessThan' and '>' with '#charGreaterThan'.

    Then you can replace any '<' and '>' characters because the ones you need have been encoded.

    Finally, on the server side, before sending your query to the database, restore the original characters by replacing '#charLessThan' and '#charGreaterThan'.

    For your second question, you can assume that the site users will not be posting these characters in the QueryString. The form is a bit more tricky, especially if you have textboxes in which you want to allow them to post html code. You might want to simply disallow posting of <script and <object tags altogether because there is no foolproof way of determining if their contents are malicious.
    LVL 12

    Expert Comment

    The key thing to understand is that XSS results from improper sanitisation of USER SUPPLIED input which is then displayed on a webpage.

    For example, many websites have a search box where the user can enter text to search for.  When the results page is shown the search term may be echoed back to them "You searched for blahblah" or "Sorry, No results matched blahblah".

    Here, if the search term entered by the user is not properly sanitised then XSS may result when input is displayed on the results page.

    So what you need to do is to find all places in your application where user input is accepted and validate that input and then find all places where user input is displayed as part of a web page and make it safe for displaying.

    Remember that user input can come from the query string in the url and any form data - even hidden form fields may be manipulated by the user.  Using javascript to validate form fields should NOT be relied upon to sanitise user input.  Javascript runs on the client-side (in the browser) and can be turned off.  Javascript can be used to validate form fields to make the user experience better (i.e. not having to reload the page in order to tell them they entered something incorrectly), but that input should still be treated like any other untrusted data when it gets to the server.

    Some links:
    How To: Prevent Cross-Site Scripting in ASP.NET -
    Microsoft Anti-Cross Site Scripting Library - (this is a good document which walks you through an example of dealing with XSS)

    and do read the link that alexpercsi posted on preventing SQL injection too.

    Hope this helps some.  You've got work to do!


    Author Closing Comment

    LVL 12

    Expert Comment

    Have I misunderstood your question?  I thought you were trying to prevent XSS in an ASP.NET application - is this not the case?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Course: Create Mobile App Prototypes with Adobe XD

    This is a project-based course: we go through all the steps of creating a prototype from start to finish, using all the tools and features currently available in Adobe XD. You can complete the course in less than a day, plus all project files and fonts are included.

    A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
    International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B. provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
    Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now