Cross site scripting is also known as “XSS”. There are so
many users who don’t know that what is XSS and how it will affect them. Here I
give you an introductory knowledge that what is XSS and how we can prevent our
Cross-Site Scripting attacks are a type of injection problem,
in which malicious scripts are injected into the otherwise benign and trusted
web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are
quite widespread and occur anywhere a web application uses input from a user in
the output it generates without validating or encoding it.
Normally when we develop any rich web application then we
use concept of java script for certain types of validation and improving
dynamic motion type effects. But by using java script as it is very powerful
client side script we increase the potential for security issues. Some common
issues which is generated while we use java script are:
make changes to the local system, such as copying or deleting files.
monitor activity on the local system, such as with keystroke logging.
interact with other Websites the user has open in other browser windows or
Types of cross-site scripting
There is currently three types of cross scripting occurs
which is Reflected, stored and local.
This is a most common type of XSS. It targets
vulnerabilities that occur in some websites when data submitted by the client
is immediately processed by the server to generate results that are then sent
back to the browser on the client system. An exploit is successful if it can
send code to the server that is included in the Web page results sent back to
the browser, and when those results are sent the code is not encoded using HTML
special character encoding — thus being interpreted by the browser rather than
being displayed as inert visible text.
It is also known as Html injection attacks. Stored
cross-site scripting exploits are those where some data sent to the server is
stored (typically in a database) to be used in the creation of pages that will
be served to other users later. This form of cross-site scripting exploit can
affect any visitor to your website, if your site is subject to a stored
cross-site scripting vulnerability.
A local cross-site scripting exploit targets vulnerabilities
within the code of a webpage itself. These vulnerabilities are the result of
actually alter the code in the first page on the local system.
Basic steps to prevent cross-site scripting in ASP.NET
Check whether ASP.NET request validation is
enabled or not. If not enabled then enabled it.
Check carefully that portion of logic in asp.net
which will generate html code.
Check whether html output includes input
parameter or not. If it contains input parameter then implement proper
validation to validate input supplied by user. Input parameters are form
fields, query string, coolies collection and session or application variable.
Before operating any operation on these variables properly check supplied input
or provide strong validation rule to validate these values.
Encode output based on input parameters.
Filter input parameter for special character.
Filter output based on input parameter for