0

We have an asp.net core 2.1 web api wherein we have an endpoint to post vendors with sample payload below which gets stored in PostgreSQL DB. Currently, we have identified an XSS vulnerability if we pass a script that we want to restrict and sanitize the payloads.

I searched over the internet but can't find a working solution for .NET Core which helps prevent XSS attack. Can anyone please provide a solution for the same with a sample code block.

Thank you in advance.

[{
    "Vendor1": {
        "Name": "Happy Customer 1 “><script>alert(“XSS”)</script>",
        "UIN": ""
    },
    "Vendor2": {
        "Name": "Happy Customer 2 “><script>alert(“XSS”)</script>",
        "UIN": ""
    }
}]
Vipul
  • 19
  • 1
  • 4
  • Why does a web api need XSS prevention?How do you get above json? – Ryan Jan 17 '20 at 06:00
  • @IanKemp Apologies but that isn't my intention apart from an expert advice. This is something new to me and an urgent requirement. Also the solution's which I found were all related to the input's being accepted from an UI application and more of an MVC or razor applications which doesn't help in my scenario. – Vipul Jan 17 '20 at 14:14
  • @XingZou We have few public APIs wherein our security team found a vulnerability wherein they were able to pass an XSS script through payload and the same script got stored in our DB which needs to be fixed and I am stuck. I am looking for a way in .net core in which we can have a actionfilter to sanitize such requests before hitting the database. Thank you for your help and time. – Vipul Jan 17 '20 at 14:15
  • Does this answer your question? [How to protect against XSS in ASP.NET Core?](https://stackoverflow.com/questions/52239262/how-to-protect-against-xss-in-asp-net-core) – Michael Freidgeim May 03 '21 at 22:25

1 Answers1

0

Ways of preventing XSS -

  1. HTML encode the input that is coming in. Reference: https://learn.microsoft.com/en-us/dotnet/api/system.web.httputility.htmlencode?view=netcore-2.0

  2. Input validation by whitelisting.

You can follow this reference, which shows all the ways of preventing XSS in .Net Core: https://learn.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-2.0

I hope this helps

awdorrin
  • 85
  • 1
  • 6
Abhishek Amola
  • 61
  • 3
  • 1
    I really appreciate your help Abhishek. Just one doubt is there a way to filter out such scripts through an action filter or middleware in .NET Core because the docs are more applicable for an MVC/ Razor application and our's is pure Web API based. Also being novice to XSS I would like to have suggestions whether my question is valid. Thanks in advance. – Vipul Jan 17 '20 at 14:33
  • Hi Vipul, you can use AntiXss module and SRE in .net. References- https://blogs.msdn.microsoft.com/syedab/2009/07/08/preventing-cross-site-scripting-attacks-using-microsoft-anti-xss-security-runtime-engine/ , https://www.codeproject.com/Articles/359058/SRE-with-Antixss-Module , https://www.troyhunt.com/owasp-top-10-for-net-developers-part-2/ – Abhishek Amola Jan 21 '20 at 04:11