Introduction

I would like to share the basic of XSS attacks on web applications.

Injection of client side scripts into a website is known as Cross site scripting. These

scripts can be HTML scripts or JavaScript scripts.

There might be various ways to inject script in to browser like attacker can inject

JavaScript from textbox or from query string etc.

Description of attack.

By default XSS attacks are prevented by ASP.net.

I created a sample application to test XSS attack. I followed following steps.

a)      Created a ASPX page having code below

Code at page load.

protected void Page_Load(object sender, EventArgs e)

{

String reqid = Request.QueryString["reqid "as string;

if (id == null)

lblmsg.Text = " Default text without any attack";

}

 

else

   {

lblmsg.Text = reqid;

  }

 

 b)      Following would be output after running the application.

Basics of Cross Site Scripting (XSS) attack on web applications

c)       Modify the URL to http://localhost:56573/XssTest.aspx?id=<h3>Hello from XSS"

</h3> and paste it to browser. 


d)  We will get following screen that Request Validation has detected a potentially

dangerous client input value, and processing of the request has been aborted.


Basics of Cross Site Scripting (XSS) attack on web applications

 e)      So by default request validation is implemented by ASP.net. (but we can

disable it with some configuration changes in application )


f)       Steps to disable the Request validation in ASP.net


Insert following lines in web.config file to enable request validation 


o    <httpRuntime requestValidationMode="2.0" />

o    <pages validateRequest="false"/>   // for all pages in applications

o    At page level we can use validateRequest = false.

 

Basics of Cross Site Scripting (XSS) attack on web applications 


·         Modify the URL to http://localhost:56573/XssTest.aspx?id=<h3>Hello from XSS"

</h3> and paste it to browser. 


·         We will get following screen  (now we are able to produce  XSS attack)

Basics of Cross Site Scripting (XSS) attack on web applications

·         If  ValidateRequest = false is set at page level then we have to handle these

type of input (script) manually at code level.

 

Conclusion

By default XSS attacks are prevented by ASP.net so make sure it should be enable

every time.

By default it is enabled by Asp.net.

  Modified On Nov-29-2017 05:31:09 PM

Leave Comment