Home > DeveloperSection > Beginner > Basics of Cross Site Scripting (XSS) attack on web applications

Basics of Cross Site Scripting (XSS) attack on web applications


ASP.Net ASP.Net 
Ratings:
0 Comment(s)
 2282  View(s)
Rate this:

Basics of Cross Site Scripting (XSS) attack on web applications

Introduction

I would like to share the basic of XSS attacks on web applications.

Injection of client side scripts into a website is known as Cross site scripting. These scripts can be HTML scripts or JavaScript scripts.

There might be various ways to inject script in to browser like attacker can inject JavaScript from textbox or from query string etc.

Description of attack.

By default XSS attacks are prevented by ASP.net.

I created a sample application to test XSS attack. I followed following steps.

a)      Created a ASPX page having code below

Code at page load.

protected void Page_Load(object sender, EventArgs e)

{

String reqid = Request.QueryString["reqid "as string;

if (id == null)

lblmsg.Text = " Default text without any attack";

}

 

else

   {

lblmsg.Text = reqid;

  }

 

       

b)      Following would be output after running the application.

Basics of Cross Site Scripting (XSS) attack on web applications

 

c)       Modify the URL to http://localhost:56573/XssTest.aspx?id=<h3>Hello from XSS"</h3> and paste it to browser.

 

d)  We will get following screen that Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted.

 

 

Basics of Cross Site Scripting (XSS) attack on web applications

 

 

e)      So by default request validation is implemented by ASP.net. (but we can disable it with some configuration changes in application )

 

f)       Steps to disable the Request validation in ASP.net

Insert following lines in web.config file to enable request validation

 

o    <httpRuntime requestValidationMode="2.0" />

o    <pages validateRequest="false"/>   // for all pages in applications

o    At page level we can use validateRequest = false.

 

Basics of Cross Site Scripting (XSS) attack on web applications

 

 

·         Modify the URL to http://localhost:56573/XssTest.aspx?id=<h3>Hello from XSS"</h3> and paste it to browser.

 

·         We will get following screen  (now we are able to produce  XSS attack)

Basics of Cross Site Scripting (XSS) attack on web applications

·         If  ValidateRequest = false is set at page level then we have to handle these type of input (script) manually at code level.

 

Conclusion

By default XSS attacks are prevented by ASP.net so make sure it should be enable every time.

By default it is enabled by Asp.net.


Don't want to miss updates? Please click the below button!

Follow MindStick