Cross-Site scripting which is commonly called XSS attack
is a vulnerability that can be found on any web applications. Using this
vulnerability, an attacker can take advantage on your application and insert
some malicious script that will get executed automatically to accomplish
whatever the attacker wants. For example, an attacker can insert some
JavaScript code with the actual input in an input field which in turn will get
executed when it is displayed on the browser.
The XSS attack is broadly categorized into 2 types,
Stored and Reflected.
A Stored XSS attack is one where the input with the
malicious code is saved permanently into a persistent medium like database and
will get executed whenever it is displayed or processed. For example, in a
comment field an attacker can insert some malicious script which will get
executed whenever it is displayed on the browser.
A Reflected XSS attack is one where the malicious script
with the input is just processed by the server and is reflected back. For
example, the input will be displayed back to the user in a webpage, commonly
seen in search pages like “You have searched for xxxx…” or in some places, when
you display an error message by including the input from user like “Your input
xxx is invalid.” In these cases, if there is a malicious script injected with
the input then it will get executed by the browser.
In next section, let’s see some simple XSS attack in
ASP.Net application to understand it better.
Simulate XSS attack in ASP.Net
By default, ASP.Net will not allow any HTML tag in any
input controls. In this case, you will receive the below error if you input html
tags and submit the page.
A
potentially dangerous Request.Form value was detected from the client
Note that, you need to set ValidateRequest="false" in
those pages where you need to allow HTML input. Open a new ASP.Net project in
your visual studio and for time being, set ValidateRequest="false" in the Page
directive of Default.aspx page to understand the XSS attack in this article.
Now, drag a textbox and a button control in the aspx page. On click of the
button, do a Response.Write() of the contents of textbox. Like below, ASPX
<asp:TextBox ID="txtMessage" runat="server"
TextMode="MultiLine"></asp:TextBox>
<asp:Button ID="btnSubmit" runat="server"
onclick="btnSubmit_Click"
Text="Submit" />
CodeBehind
protected void btnSubmit_Click(object sender, EventArgs
e)
{
Response.Write(txtMessage.Text);
}
Execute the above page and type the below string as
input in the textbox and click submit.
<script>alert('You are
hacked!')</script>
Since, we have set ValidateRequest="false" the above
malicious script will be rendered in the output html and will get executed.
Hence, you will get a alert box saying ‘You are hacked!’. This is called XSS
attack. This is a very basic example where an alert script is being inserted
which has no impacts. Assume, there is a comment field in your page where you
allow HTML input. Now, an attacker or possibly a spammer can insert some script
that can redirect the user to his/her page through which he can divert all the
traffic to his site that are supposed to visit your page. For example, in the
above textbox try giving the below input.
<meta http-equiv="refresh"
content="2;url=http://www.codedigest.com/">
The above script will redirect you to www.codedigest.com when the page is
rendered back.
Handling XSS attack in ASP.Net
To handle XSS attack in these pages, you can do a HTML
encode of the input before processing it. The input once HTML encoded will
become void and it will get simply displayed and without getting executed.
Hence, you can prevent the XSS attack in the above example by using the below
code,
protected void btnSubmit_Click(object sender, EventArgs
e)
{
Response.Write(Server.HtmlEncode(txtMessage.Text));
}
The above code will do html encode on the input which
will in turn will make the injected script void. So, the above inputs will
become like below after encoding,
<script>alert('You are
hacked!')</script>
<meta http-equiv="refresh"
content="2;url=http://www.codedigest.com/">
Now, when this is rendered in the browser the HTML tags
will be rendered as text(means, as a non executable). Please see below,
<script>alert('You are hacked!')</script>
<meta http-equiv="refresh"
content="2;url=http://www.codedigest.com/">
At times, you may need to allow the users to input HTML
tags which is then used to display the input with the HTML formatting done by
the users. For example, in article/blog posting pages you may need to allow
users to format the text with RTF(Rich Text Editors) editors and save it without
encoding. In this case, to prevent XSS attack you can restrict users to do some
limited formatting by allowing only some specific formatting tags like
<B>,<I>,<font>, etc. Also, you can validate the user input in
the server to strip the tags that are not allowed or considered to be vulnerable
to XSS attack.
|