Thanks to built-in features of .NET Framework, it’s easier than ever to protect your applications against XSS attacks. I’m explaining simple steps to avoid this vulnerability.
What is XSS (Cross Site Scripting)?
From Wikipedia:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users.
A simple example of an XSS attack is that entering “// ” into an input field. Depending on the script that will be executed, It may harm your application and data in several ways.
Solution
You should follow at least these 3 steps to protect your ASP.NET application against XSS attacks:
- Use ASP.NET Request Validation
It’s in place starting from .NET Framework 4.5. Do not disable it unless you want your users to enter HTML codes (such as , ) on purpose. - Use HtmlEncode method
If you are not using ASP.NET TextBox control which automatically encodes data, you should explicitly use HtmlEncode. There are different ways to leverage this functionality:HttpUtility.HtmlEncode(Request.Form["name"]) Server.HtmlEncode(Request.Form["name"]) AntiXss.HtmlAttributeEncode(TextBox1.Text)
- Implement client-side and server-side input validation
Push your users to enter valid data by using client-side and server-side validation techniques.
References:
- XSS (Cross Site Scripting) Prevention Cheat Sheet
- How To: Prevent Cross-Site Scripting in ASP.NET
- Request Validation in ASP.NET
- How To: Protect From Injection Attacks in ASP.NET
- An Absolute Beginner’s Tutorial on Cross Site Scripting(XSS) Prevention in ASP.NET
- Anti-Cross Site Scripting Library
- Anti-Cross Site Scripting Library (AntiXSS)
- Differences Between AntiXss.HtmlEncode and HttpUtility.HtmlEncode Methods
- Stackoverflow post