tags:

views:

232

answers:

2
Q: 

ASP.NET: Looking for solution to solve XSS

Hi folks:

We got a long-running website where XSS lurks. The problem comes from that some developers directly - without using HtmlEncode/Decode() - retrieve Request["sth"] to do the process, putting on the web.

I wonder if there is any mechanism like HTTPModule to help us HtmlEncode() all the items in a Http request to avoid XSS to some extent.

Appreciate for any suggestion.

Rgds, Ricky

+1  A: 

The problem is not retrieving Request data without HTML-encoding. In fact that's perfectly correct. You should not encode any text until the final output stage when you spit it into an HTML page.

Trying to blanket-encode incoming parameters, whether that's HTML-encoding or SQL-encoding, is totally the wrong thing. It may hide XSS holes in your app but it does not fix them. You will still have a hole if you output content that hasn't come from parameters, or has been processed since then. Meanwhile the automatic encoding will fill your database with multiply-escaped & crud.

You need to fix the output stage, that's where the problem lies.

bobince  2009-11-10 10:39:13
Is there off-the-shelf solution prevent XSS in a universal way for a web site?
Ricky  2009-11-11 07:07:22
No(*). There is no magic bullet, XSS can only be corrected by fixing the actual bugs. There are tools that will test your site by submitting HTML to every parameter they can find and seeing if they end up back on the page without encoding; these aren't completely foolproof either but they can give you some clues as to what areas of your code need looking at.
bobince  2009-11-11 10:36:53
*: well technically yes. There are options to block or filter all incoming data for HTML, for example ASP.NET's default-on “Request Validation” feature. But they're utterly bogus and don't really protect you from the root problem of missing output-escaping, whilst also breaking your application whenever the user submits something that looks like an HTML or XML tag. This is only really of use as a temporary band-aid on a live site whilst you fix the errors in it.
bobince  2009-11-11 10:42:48
A: 

Like bobince said, this is an output problem, not an input problem. If you can isolate where this data is being output on the page, you could create a Filter and add it to the Response object. This filter would isolate the areas that are common output and then HtmlEncode them.

Mike J  2009-11-10 21:54:44
Is there off-the-shelf solution preventing XSS in a universal way for a web site?
Ricky  2009-11-11 07:07:55

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps