This blog is subject the DISCLAIMER below.

Friday, April 24, 2009

How to secure my ASP.Net web Application (XSS)

mmm, I'm not good enough in wrting a good introduction to my posts, so i'm going to get into the point directly. How to write a secure ASP.Net web application.

I will show you in this post the most common attacks on ASP.Net applications and how to prevent these attacks to happen on our Application.

1) Cross site scripting(XSS)

is the most common attack, it represents about 85% from web sites attacks. XSS happens when the attacker tries to inject a java script in any input controls like textboxs for example then submit this input to the server.

example: try to input this code in a test page has a one textbox to take ur user name and a button to preview this username -

<script>alert("Hacked using XSS");</script> -

i hear someone says, hehehe, i can validate the input text to see if it contains the tag <script> or not !!
ok, please make ur check then compile, and enter this text in ur textbox and tell me the results
-<body onload="alert("Hacked too ??!!?");"> -

sure any attacker will not write these kind of scripts, s/he may get ur cookies values, may be s/he put a script on ur server which make an automatically redirect any user to any other page may be may be may be ...

I think now it is clear what is XSS, but how can we secure our ASP.Net application aginst this famous attack? there are many good practices like,

  1. Make sure that ValidateRequest attribute in Page tag is always true ( try to make it true and try this attack again.
  2. Use HtmlEncode Method in HttpUtility class which applies HTML encoding to a specified string and return the encoded string not to be executed as a client-side script(try to set ValidateRequest="False" and use HtmlEncode Method ).
  3. Don't trust user's input and always keep validating aginst any special characters in the input.

C u in the next post



No comments: