ASP .NET Security - Stopping scripting attaXSS in their traXSS
As of May 2007, the top security vulnerability on the web is Cross Site Scriping (XSS) attacks. And why shouldn't they be? Theyre extremely easy to use and potentially lethal to the credibility of your site, fortunately the kind people at Microsoft made it simple to prevent these attacks.
The culprit
Here's the situation: You have a web form where the user can post data for others to see. For example, you're writing a custom blog application and you want users to write comments. On your site, you have a textbox that allows users to post comments, lets call this textbox "txtUserComments".
When your user clicks your submit button on the form, your code will look something like this:
If Page.IsPostBack
'Some Code Up Here
Dim UserComment as String = txtUserComments.Text
'Some More Code Here
End If
Yep, thats all it takes to have an XSS Vulnerability. If input validation is turned off on your page/site, an end user can post some bad stuff, and all future users will be affected.
For example, if <script>alert('ha')</script> is posted, all future users will enter the page and see the alert box. I'll let your imagination run wild with the other possiblities here...
The fix
So, what's the fix to this solution? Well for one, you probably noticed that I said above that "If input validation is turned off", which is turned on by default. So... don't turn off validation! But there's much more to this post than that. What about query string values, HTTP Header Information, or other Form POST data?
The nice people at Microsoft developed an Anti XSS library... and it's cake to use. You can get the library here.
To use it, download and install the library. In your web project, add a new project reference, and get your dll from your program files\Microsoft Corporation\Anti-Cross Site Scripting Library V1.5\Library\.Net 1.1 | .Net 2.0. That's right folks, the library is available for both 1.1 and 2.0!
Now that you added your reference, import the namespace into your page:
Imports Microsoft.Security.Application
Finally, make use of the library! For example, remember our example above with the textbox input? Well, now we would use the following code:
Dim UserComment as String = AntiXss.HtmlEncode(txtUserComments.Text)
The magic behind it all
Some of the best things in life are simple, and this is no variation of that rule. The HtmlEncode function takes the input characters and encodes them for HTML output. For example, the '<' in a script tag is converted to a '<'.
The library has multiple functions available, so you can use the best encoding for your application. There is "JavaScriptEncode" for any JavaScript input, or even "UrlEncode" for passing values via querystring.
Hopefully this blog post gave you some insight into how easy it can be to compromise your site with an XSS attack, but more importantly you also saw how easy it can be to fix such attacks.
References
posted by Wiggy @ 10:03 AM
1 Comments
1 Comments:
Thank you for posting your knowledge of this issue on my blog (http://dotnetdiscussion.wordpress.com)! I've edited my post to link to this post.
Post a Comment
<< Home