Cross-site Scripting is a vulnerability, that’s typically found in a web application. XSS enables attackers to inject the malicious line of code like script into web pages.
It’s generally used by attackers to re-route access controls for UN-authorized activity or Url’s redirection.
Nowadays it’s a big issue in the web application. When an application affected with XSS. It’s really hard to find out the source of such activity. We need to verify a large amount of data carefully.
But precaution is better than Cure, So please follows these steps to prevent your web application by XSS:
- First of all make sure you used only trusted line of code, dll’s, CDN, and also CSS class file. If you are not 100% sure about the functionality of any of them then remove.
- Make sure you are not left blank the property of anchor tag or used the href with ‘#’. If you are used any of them then replace them with “return void(0)”.
- The best way that I was found in asp.net application using c#. Use the AntiXSS dll's, a product of Microsoft. It’s specially designed for XSS prevention.
Please follow below instruction to use them into your web application using MVC C#:
1. Go to solution explorer in visual studio.
2. Click on your main project and go to Manage Nuget Package.
3. Go to Online -> Seach AntiXSS -> Click on Install button.
4. Now open reference folder in your main project and you see two dll’s named as “AntiXSSLibrary” and “HtmlSanitizationLibrary”.
5. Now Go to your controller and find a post method and insert all entity field value through these dll's methods to filter malicious line of code from your input fields.
You can write your code like this:
It’s the best way to prevent malicious line of code through your input fields in your web application. Mainly attackers use your web application input fields to run the script in your application and database.
There are some vulnerability types that are actually used for exploitation of malicious code and suspicious activities:
A. Denial of service
B. XML external entity
C. Open redirect
D. General bypass
E. Authentication bypass
F. Remote file inclusion
G. Full path disclosure
H. Remote code execution
I. Local file inclusion
J. Cross-site request forgery
K. File upload
L. SQL injection
M. Cross-site scripting
In the above list of vulnerability type, Cross-site Scripting is most harmful.
More details you can also visit following links:
Thanks!!! I Hope it's informative...