Thanks to built-in features of .NET Framework, it’s easier than ever to protect your applications against XSS attacks. I’m explaining simple steps to avoid this vulnerability.
What is XSS (Cross Site Scripting)?
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users.
A simple example of an XSS attack is that entering “// ” into an input field. Depending on the script that will be executed, It may harm your application and data in several ways.
You should follow at least these 3 steps to protect your ASP.NET application against XSS attacks:
- Use ASP.NET Request Validation
It’s in place starting from .NET Framework 4.5. Do not disable it unless you want your users to enter HTML codes (such as , ) on purpose.
- Use HtmlEncode method
If you are not using ASP.NET TextBox control which automatically encodes data, you should explicitly use HtmlEncode. There are different ways to leverage this functionality:
HttpUtility.HtmlEncode(Request.Form["name"]) Server.HtmlEncode(Request.Form["name"]) AntiXss.HtmlAttributeEncode(TextBox1.Text)
- Implement client-side and server-side input validation
Push your users to enter valid data by using client-side and server-side validation techniques.
- XSS (Cross Site Scripting) Prevention Cheat Sheet
- How To: Prevent Cross-Site Scripting in ASP.NET
- Request Validation in ASP.NET
- How To: Protect From Injection Attacks in ASP.NET
- An Absolute Beginner’s Tutorial on Cross Site Scripting(XSS) Prevention in ASP.NET
- Anti-Cross Site Scripting Library
- Anti-Cross Site Scripting Library (AntiXSS)
- Differences Between AntiXss.HtmlEncode and HttpUtility.HtmlEncode Methods
- Stackoverflow post