AppSec Blog

AppSec Blog

WhatWorks in AppSec: ASP.NET Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts

Eric Johnson is an instructor with the SANS Institute for DEV544: Secure Coding in .NET: Developing Defensible Applications, and an information security engineer at a financial institution, where he is responsible for secure code review assessments of Internet facing web applications. Eric has spent nine years working in software development with over five years focusing on ASP .NET web application security. His experience includes software development, secure code review, risk assessment, static source code analysis, and security research. Eric completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University. He currently holds the CISSP and GSSP-.NET certifications and is located in Las Vegas, NV.


The .NET 4.0 & 4.5 frameworks introduced new syntax shortcuts to HTML encode dynamic content being rendered to the browser. These shortcuts provide an easy way to protect against Cross-Site Scripting (XSS) attacks in the newer versions of the .NET framework.

All Frameworks - Vulnerable Code Example


First, let's review the two vulnerable instances of XSS in all versions of the .NET framework shown in the code snippet below. The first exploitable instance on line 1 is writing the dynamic server side variable, ProductType, to the browser without HTML encoding. The second exploitable instance on line 7 is writing the dynamic server side variable, Name, to the browser during the data binding of the products grid view. If an attacker had the ability to edit these fields, then a malicious value, such as <script>alert(document.cookie);</script>, could be used to inject content into the page.
<h1><%= ProductType %></h1> <asp:GridView ID="gvProducts" runat="server" AutoGenerateColumns="false" ItemType="Data.Product"> <Columns> <asp:TemplateField HeaderText="Name"> <ItemTemplate> <%# Item.Name %> </ItemTemplate> </asp:TemplateField> </Columns> </asp:GridView>

.NET 3.5 - Secure Code Example


Next, let's review how these instances would be mitigated in .NET 3.5 (as well as any version prior to .NET 3.5). In earlier version of the framework, both exploitable instances would be modified to HTML encode the dynamic server side variables using the Microsoft Web Protection Library (formerly known as the AntiXSS library). If an attacker supplied the same malicious content described above in the vulnerable code example, then the HTML encoded value, &lt;script&gt;alert(document.cookie);&lt;/script&gt;, would not break out of the HTML context and execute in the browser.
<h1><%= Microsoft.Security.Application.Encoder.HtmlEncode(ProductType) %></h1> <asp:GridView ID="gvProducts" runat="server" AutoGenerateColumns="false" ItemType="Data.Product"> <Columns> <asp:TemplateField HeaderText="Name"> <ItemTemplate> <%# Microsoft.Security.Application.Encoder.HtmlEncode(Item.Name) %> </ItemTemplate> </asp:TemplateField> </Columns> </asp:GridView>

.NET 4.5 - Secure Code Example


Finally, let's review how these instances would be mitigated in .NET 4.5 using the HTML encoding shortcuts provided by the framework. The instance on line 1 uses the HTML encode rendering shortcut (<%: %>) to HTML encode the dynamic ProductType value. The instance on line 7 uses the HTML encode binding shortcut (<%#: %>) to HTML encode the dynamic Name value being bound by the grid view.
<h1><%: ProductType %></h1> <asp:GridView ID="gvProducts" runat="server" AutoGenerateColumns="false" ItemType="Data.Product"> <Columns> <asp:TemplateField HeaderText="Name"> <ItemTemplate> <%#: Item.Name %> </ItemTemplate> </asp:TemplateField> </Columns> </asp:GridView

Default Encoding Library


Developers can further increase the strength of their default encoding library by overriding the default encoder to use the AntiXSS Library built into the .NET 4.5 framework.
<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Summary


The HTML rendering shortcut (<%: %>) and binding shortcut (<%#: %>) provide a quick and simple way for developers to protect their web applications from XSS attacks when writing dynamic data to HTML contexts.

However, it should be noted that these shortcuts only provide XSS protection within a HTML context. Dynamic data being written to HTML attribute, JavaScript, CSS, and other contexts will each require the specific encoding algorithm provided in the AntiXss Library.

4 Comments

Posted July 08, 2013 at 6:50 AM | Permalink | Reply

Eone James

I would say that your information is reliable. Your shortcuts really helps to make code easy.

Posted August 21, 2013 at 7:12 AM | Permalink | Reply

Cygnis Media

Cross-site script injection (XSS) and HTML encoding attacks are two of the most common security issues that plague web-sites and applications. They occur when hackers find a way to inject client-side script or HTML markup into web-pages that are then viewed by other visitors to a site.

Posted September 19, 2013 at 9:37 AM | Permalink | Reply

graham

Nice. thanks

Posted September 19, 2013 at 9:48 AM | Permalink | Reply

devtools korzh

Thanks. With your shortcuts it is much easier now.

Post a Comment






* Indicates a required field.