Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
Normally when we develop any rich web application then we use concept of java script for certain types of validation and improving dynamic motion type effects. But by using java script as it is very powerful client side script we increase the potential for security issues. Some common issues which is generated while we use java script are:
Types of cross-site scripting
There is currently three types of cross scripting occurs which is Reflected, stored and local.
This is a most common type of XSS. It targets vulnerabilities that occur in some websites when data submitted by the client is immediately processed by the server to generate results that are then sent back to the browser on the client system. An exploit is successful if it can send code to the server that is included in the Web page results sent back to the browser, and when those results are sent the code is not encoded using HTML special character encoding — thus being interpreted by the browser rather than being displayed as inert visible text.
It is also known as Html injection attacks. Stored cross-site scripting exploits are those where some data sent to the server is stored (typically in a database) to be used in the creation of pages that will be served to other users later. This form of cross-site scripting exploit can affect any visitor to your website, if your site is subject to a stored cross-site scripting vulnerability.
Basic steps to prevent cross-site scripting in ASP.NET
1) Check whether ASP.NET request validation is enabled or not. If not enabled then enabled it.
2) Check carefully that portion of logic in asp.net which will generate html code.
3) Check whether html output includes input parameter or not. If it contains input parameter then implement proper validation to validate input supplied by user. Input parameters are form fields, query string, coolies collection and session or application variable. Before operating any operation on these variables properly check supplied input or provide strong validation rule to validate these values.
4) Encode output based on input parameters.
5) Filter input parameter for special character.
6) Filter output based on input parameter for special character.