1

I'm working on a .NET 4.5 web application(non-MVC) which contains numerous modules. While testing, I found out that my application is vulnerable to Reflected Cross Site Scripting attacks.

For instance this is what my sample URL would look like like: 

   example.com/abc.aspx?id=1234

Now if someone tries to enter any script in place of id value, for e.g.

    id=<somescript>

this script would get executed.

How can I block scripts which are entered in URL from being executed? Currently I'm not focusing on the UI based input elements like textboxes etc.

I need a way to block malicious scripts from being executed through the URL.

I tried to enabling the validateRequest property. Although it blocked the scripts from getting executed throughout the application but there was one problem with it. It also blocked the safe markups which are entered in the UI based input fields(like textboxes) from being executed.

For my application the users expect to enter some sample markups in textareas and textboxes.

Currently I just want to block the browser-URL based XSS scripts. How can I achieve it?

Update:

I've tried adding following custom headers in my web.config file :

X-Xss-Protection - But it's not supported by Firefox

Content-Security-Policy - It's not supported by IE.

The application which I'm working is very big and hence it would take a lot of time for me to make changes in code for validation purposes. Is there any way with which I can make changes at the Web.config level itself?

Mr.Human
  • 547
  • 2
  • 12
  • 30
  • it'd be interesting to know the trick for this.. especially for old projects. – Bagus Tesa Apr 27 '17 at 04:17
  • @Bagus Tesa if your application has no need to allow markups/scripts as input from the UI input elements like textboxes etc. you can safely go ahead and enable the validateRequest attribute in your web.config – Mr.Human Apr 27 '17 at 11:33
  • already set in `web.config` the validateRequest one. unfortunately, one of website auditor found out that url like `faq.aspx/'%20onclick=%22alert('Someauditor')%22%20ignoreme=` is reported to bring xss vulnerability to the web form.. although there is no code that prints anything in url to the document body - only the asp web form's `action` that defined by asp and i don't know whether we can override it. – Bagus Tesa Apr 28 '17 at 00:09

2 Answers2

1

You can try to set System.Web.Security.AntiXss.AntiXssEncoder (available since .NET 4.5) as a default encoder for your ASP.NET application.

It encodes a string meant to be used in a URL, HTML, CSS or XML string.

Usage in web.config:

<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" />

There is an alternative for earlier versions of .NET: Microsoft.Security.Application.AntiXssEncoder available on NuGet. Usage in web.config:

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary" />

You can find more information on how to prevent XSS attacks on this OWASP article.

Simon Bar
  • 116
  • 1
  • 6
0

Best way is to use validateRequest property and change your logic how and why you passing HTML in your get request. Maybe you need to pass only ids or values of this textboxes.

Victor Leontyev
  • 8,488
  • 2
  • 16
  • 36
  • is there any way I can make the changes in the web.config file so that it would be applicable to the entire application itself. My application is too large and hence it would not be feasible to change logic for each and every inputs. – Mr.Human Apr 27 '17 at 04:04