How to prevent XSS (Cross Site Scripting) attacks in ASP.NET applications

Thanks to built-in features of .NET Framework, it’s easier than ever to protect your applications against XSS attacks. I’m explaining simple steps to avoid this vulnerability.

What is XSS (Cross Site Scripting)?

From Wikipedia:

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users.

A simple example of an XSS attack is that entering “// ” into an input field. Depending on the script that will be executed, It may harm your application and data in several ways.

Solution

You should follow at least these 3 steps to protect your ASP.NET application against XSS attacks:

  1. Use ASP.NET Request Validation
    It’s in place starting from .NET Framework 4.5. Do not disable it unless you want your users to enter HTML codes (such as , ) on purpose.
  2. Use HtmlEncode method
    If you are not using ASP.NET TextBox control which automatically encodes data, you should explicitly use HtmlEncode. There are different ways to leverage this functionality:

    HttpUtility.HtmlEncode(Request.Form["name"])
    Server.HtmlEncode(Request.Form["name"])
    AntiXss.HtmlAttributeEncode(TextBox1.Text)
  3. Implement client-side and server-side input validation
    Push your users to enter valid data by using client-side and server-side validation techniques.

References:

Leave a Reply