Cross-Site Scripting (XSS): XSS

Cross-Site Scripting (XSS):

How to Fix Cross-Site Scripting (XSS) Using Microsoft .Net Web Protection Library


HTML Encoding

The purpose of HTML encoding dynamic data is to prevent malicious HTML/Script from being injected into the web page and later executed by the browser.

Secure Usage
    HTML Encode Binding Shortcut
    <td><%#: Item.Address %></td>

    HTML Encode Render Shortcut
    <td><%: Item.Address %></td>

The above code is not vulnerable to XSS because the dynamic Address property is being HTML encoded before being written to a HTML context. In ASP .NET 4.5, the HTML encode binding shortcut (<%#:) was introduced to allow developers to HTML encode dynamic values being bound in the HTML markup. Additionally, in ASP .NET 4.0 the HTML encode render shortcut (<%:) also added to allow developers to automatically HTML encoded content being rendered directly to the page.

Vulnerable Usage
    HTML Binding
    <td><%# Item.Address %></td>

    HTML Render
    <td><%= Item.Address %></td>

The above code is vulnerable because the dynamic Address property is written to the browser without HTML encoding. If an attacker had the ability to edit the address field, then a malicious value, such as alert(document.cookie);, could be entered to inject content into the page.

Secure Usage
    ASPX:
    <td><asp:Label id='lblAddress' runat='server'></asp:Label></td>

    ASPX.CS:
    lblName.Text = Microsoft.Security.Application.Encoder.HtmlEncode(Request['Address']);

The above code is not vulnerable to XSS because the Address request parameter is being HTML encoded with the Microsoft Web Protection Library (WPL) before being written to a HTML context. It should be noted that in ASP .NET 4.5, the Web Protection Library is the default encoding library.

Vulnerable Usage
    ASPX:
    <td><asp:Label id='lblAddress' runat='server'></asp:Label></td>

    ASPX.CS:
    lblName.Text = Request['Address'];

The above code is vulnerable because the Label.Text property does not automatically HTML encode its contents, and the dynamic Address request parameter is written to the browser without HTML encoding. This could allow an attacker to set the address request parameter to a malicious value, such as alert(document.cookie);, and inject content into the page.

For a complete listing of the ASP .NET controls and their default encoding, please see the following: http://blogs.msdn.com/b/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx

JavaScript Encoding

The purpose of JavaScript encoding dynamic data is to prevent malicious script from being injected into the JavaScript being executed in the browser.

Secure Usage
    <a onclick='<%# string.Format('ConfirmDelete({0})', Microsoft.Security.Application.Encoder.JavaScriptEncode(Item.Name)) %>'>Delete</a>

The above code is not vulnerable to XSS because the dynamic Name property is being JavaScript encoded with the Microsoft Web Protection Library (WPL) before being written into the JavaScript context. In this case, the JavaScriptEncode method must be used over the HTML binding shortcut (<%#:) because the shortcut only works for HTML contexts. Also, it should be noted that the JavaScriptEncode method returns the dynamic value properly encoded and wrapped in tick marks. For example, if the name were Bob O'Neill, the return value would be 'Bob Ox27Neill'.

Vulnerable Usage
    <a onclick='<%# string.Format('ConfirmDelete('{0}')', Item.Name) %>'>Delete</a>

The above code is vulnerable because the dynamic Name property is not JavaScript encoded before being written into the JavaScript context. If an attacker had the ability to edit the name field, then a malicious value, such as ');alert(document.cookie);//, could be used to break out of the intended JavaScript function and execute additional commands in the browser.

URL Encoding

The purpose of URL encoding dynamic data is to prevent malicious script from being injected into a URL.

Secure Usage
    <a href=<%# Microsoft.Security.Application.Encoder.UrlEncode(Item.Url) %>>View Details</a>

The above code is not vulnerable to XSS because the dynamic Url property is being URL encoded with the Microsoft Web Protection Library (WPL) before being written to the href attribute. In this case, the UrlEncode method must be used over the HTML binding shortcut (<%#:) because the shortcut only works for HTML contexts.

Vulnerable Usage
    <a href=<%# Item.Url %>>View Details</a>

The above code is vulnerable because the dynamic Url property is not URL encoded before being written into the URL context. If an attacker had the ability to edit the url field, then a malicious value, such as javascript:alert(document.cookie), could be used to execute script in the browser.

Contributors

James Jardine


Authors

Eric Johnson