Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

Normally when we develop any rich web application then we use concept of java script for certain types of validation and improving dynamic motion type effects. But by using java script as it is very powerful client side script we increase the potential for security issues. Some common issues which is generated while we use java script are:

1)      A malicious website might employ JavaScript to make changes to the local system, such as copying or deleting files.

2)      A malicious website might employ JavaScript to monitor activity on the local system, such as with keystroke logging.

3)      A malicious website might employ JavaScript to interact with other Websites the user has open in other browser windows or tabs.

Types of cross-site scripting

There is currently three types of cross scripting occurs which is Reflected, stored and local.

Reflected:

This is a most common type of XSS. It targets vulnerabilities that occur in some websites when data submitted by the client is immediately processed by the server to generate results that are then sent back to the browser on the client system. An exploit is successful if it can send code to the server that is included in the Web page results sent back to the browser, and when those results are sent the code is not encoded using HTML special character encoding — thus being interpreted by the browser rather than being displayed as inert visible text.

Stored:

It is also known as Html injection attacks. Stored cross-site scripting exploits are those where some data sent to the server is stored (typically in a database) to be used in the creation of pages that will be served to other users later. This form of cross-site scripting exploit can affect any visitor to your website, if your site is subject to a stored cross-site scripting vulnerability.

Local:

A local cross-site scripting exploit targets vulnerabilities within the code of a webpage itself. These vulnerabilities are the result of incautious use of the Document Object Model in JavaScript so that opening another Web page with malicious JavaScript code in it at the same time might actually alter the code in the first page on the local system.

Basic steps to prevent cross-site scripting in ASP.NET

1)      Check whether ASP.NET request validation is enabled or not. If not enabled then enabled it.

2)      Check carefully that portion of logic in asp.net which will generate html code.

3)      Check whether html output includes input parameter or not. If it contains input parameter then implement proper validation to validate input supplied by user. Input parameters are form fields, query string, coolies collection and session or application variable. Before operating any operation on these variables properly check supplied input or provide strong validation rule to validate these values.

4)      Encode output based on input parameters.

5)      Filter input parameter for special character.

6)      Filter output based on input parameter for special character.