treehouse2008
asked on
How to prevent XSS attack for asp.net application?
How to prevent XSS attack for asp.net application? I cannot changed the existing applicaiton, what I can do is only to add some codes to it.
There are some programs that can clean the HTML. But how can I tell which script is "good" tags in the application and which one is "bad" tags which comes from attackers.
For example <scrip>Document.wirte("...
There are some programs that can clean the HTML. But how can I tell which script is "good" tags in the application and which one is "bad" tags which comes from attackers.
For example <scrip>Document.wirte("...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Another question: In Application_BeginRequest, how can I detect which scripts are querystrings or user input in posted forms? Could you please give me some example codes. Thanks.
For your first question, I would have a javascript take the contents of the textboxes that might allow such input just before form submission and encode those characters with something that cannot be confused. For example, replace '<' with '#charLessThan' and '>' with '#charGreaterThan'.
Then you can replace any '<' and '>' characters because the ones you need have been encoded.
Finally, on the server side, before sending your query to the database, restore the original characters by replacing '#charLessThan' and '#charGreaterThan'.
For your second question, you can assume that the site users will not be posting these characters in the QueryString. The form is a bit more tricky, especially if you have textboxes in which you want to allow them to post html code. You might want to simply disallow posting of <script and <object tags altogether because there is no foolproof way of determining if their contents are malicious.
Then you can replace any '<' and '>' characters because the ones you need have been encoded.
Finally, on the server side, before sending your query to the database, restore the original characters by replacing '#charLessThan' and '#charGreaterThan'.
For your second question, you can assume that the site users will not be posting these characters in the QueryString. The form is a bit more tricky, especially if you have textboxes in which you want to allow them to post html code. You might want to simply disallow posting of <script and <object tags altogether because there is no foolproof way of determining if their contents are malicious.
The key thing to understand is that XSS results from improper sanitisation of USER SUPPLIED input which is then displayed on a webpage.
For example, many websites have a search box where the user can enter text to search for. When the results page is shown the search term may be echoed back to them "You searched for blahblah" or "Sorry, No results matched blahblah".
Here, if the search term entered by the user is not properly sanitised then XSS may result when input is displayed on the results page.
So what you need to do is to find all places in your application where user input is accepted and validate that input and then find all places where user input is displayed as part of a web page and make it safe for displaying.
Remember that user input can come from the query string in the url and any form data - even hidden form fields may be manipulated by the user. Using javascript to validate form fields should NOT be relied upon to sanitise user input. Javascript runs on the client-side (in the browser) and can be turned off. Javascript can be used to validate form fields to make the user experience better (i.e. not having to reload the page in order to tell them they entered something incorrectly), but that input should still be treated like any other untrusted data when it gets to the server.
Some links:
How To: Prevent Cross-Site Scripting in ASP.NET - http://msdn.microsoft.com/en-us/library/ms998274.aspx
Microsoft Anti-Cross Site Scripting Library - http://msdn.microsoft.com/en-us/library/aa973813.aspx (this is a good document which walks you through an example of dealing with XSS)
and do read the link that alexpercsi posted on preventing SQL injection too.
Hope this helps some. You've got work to do!
For example, many websites have a search box where the user can enter text to search for. When the results page is shown the search term may be echoed back to them "You searched for blahblah" or "Sorry, No results matched blahblah".
Here, if the search term entered by the user is not properly sanitised then XSS may result when input is displayed on the results page.
So what you need to do is to find all places in your application where user input is accepted and validate that input and then find all places where user input is displayed as part of a web page and make it safe for displaying.
Remember that user input can come from the query string in the url and any form data - even hidden form fields may be manipulated by the user. Using javascript to validate form fields should NOT be relied upon to sanitise user input. Javascript runs on the client-side (in the browser) and can be turned off. Javascript can be used to validate form fields to make the user experience better (i.e. not having to reload the page in order to tell them they entered something incorrectly), but that input should still be treated like any other untrusted data when it gets to the server.
Some links:
How To: Prevent Cross-Site Scripting in ASP.NET - http://msdn.microsoft.com/en-us/library/ms998274.aspx
Microsoft Anti-Cross Site Scripting Library - http://msdn.microsoft.com/en-us/library/aa973813.aspx (this is a good document which walks you through an example of dealing with XSS)
and do read the link that alexpercsi posted on preventing SQL injection too.
Hope this helps some. You've got work to do!
ASKER
Thanks.
Have I misunderstood your question? I thought you were trying to prevent XSS in an ASP.NET application - is this not the case?
ASKER
One question: what if '<' and.or '>' is what the application needs or permits. For example, in a search condition, it is permitted to input: " a>15 and a <30".