Sdílet prostřednictvím


Quickly Find And Fix Cross Site Scripting (XSS) Vulnerabilities In Your ASP.NET Application.

Want to quickly check your ASP.NET Web application for Cross Site Scripting (XSS) vulnerability?

It is pretty easy with the knowledge and tools you already have. This post describes how to quickly find and fix most of XSS vulnerabilities in your code.

Why XSS vulnerabilities are possible

XSS vulnerabilities are possible when un-sanitized data printed out on the page. From what I witness when I do security code inspections most cases can be summarized to two most common:

  • Using DataBinder.Eval function:

<%#DataBinder.Eval(Container.DataItem, "TEXT") %>

  • Assigning to Text property of the control:
 Label1.Text = TextBox1.Text;
   [Update 20.7.08]   Assigning to Text property of the control: 

 <%=myStringGoesHere...

How to quickly find XSS vulnerabilities

Above patterns are easily identifiable using any strings search utility. I use Visual Studio 2005 As General Code Search Tool to find such vulnerabilities. When Visual Studio is not an option, just use FindStr, here is an example - Code Inspection - First Look For What To Look For.

Run your search for ".Eval(" and then for ".Text =". You might want to modify slightly it as some folks omit space before "=" or other minor changes.

Use searches similar to these:

  • findstr /S /I ".Text =" *.cs
  • findstr /S /I ".Eval(" *.aspx
  • findstr /S /I ".Eval(" *.ascx
  • [Update 20.7.08]  findstr /S /I "<%=" *.aspx

Ran your search yet? What do you see? Scared?

How to quickly fix XSS vulnerabilities

The fix is pretty simple - just apply Html Encoding to both cases. The best is using freely available Microsoft Anti-Cross Site Scripting Library V1.5. Note that ASP.NET’s Server.HtmlEncode is not the safest one as it only encodes <,>,",& characters which is not sufficient to protect against all possible attacks.

Comments

  • Anonymous
    July 10, 2008
    Well defined set of search patterns helps significantly reduce time (cost) when performing security code
  • Anonymous
    March 08, 2009
    You are voted (great) - Trackback from Web Development Community