views:

578

answers:

5

What's the best way to prevent javascript injections in a VB.NET Web Application? Is there some way of disabling javascript on the pageload event?

Recently, part of the security plan for our vb.net product was to simply disable buttons on the page that weren't available to the specific user. However, I informed the guy who thought of the idea that typing

javascript:alert(document.getElementById("Button1").disabled="")

in the address bar would re-enable the button. I'm sure that someone else has ran into issues like this before, so any help is appreciated. Thanks!

Update: Aside from validating user input, how can I protect the website from being toyed with from the address bar?

Thanks for the input! I appreciate it!

+6  A: 

The most important item to consider is html encoding the user input. If the user enters <script> it'll get converted to &lt;script&gt; etc.

Update: If expecting input from the url / querystring, validate the data with extreme measures. If possible white list the data received. When white listed, you're ensuring only what you deem correct and safe is a viable submission.

Never trust the users' input.

Ian Suttle
+2  A: 

Always validate user input.

Julien Chastang
+10  A: 

Any changes you make to the client-side behavior of your application are superficial and not secure at all. You should not rely upon these. They are nice to stop 99% of users, but it is trivially easy to bypass them. You should be checking whether a user has the right privileges for the action on the server side when the action is called, so that if someone did decide to re-enable the button themselves they would not be able to do whatever the button is meant to do. You have no control over what someone can do to the page with javascript, so you should never trust anything coming from the client.

Response to update: You can't in any practical way, which is exactly what the problem is. Once the website is in their browser, it's a free-for-all and they can have a go at it. Which is why your program should validate everything server side, every time.

Paolo Bergantino
We were hoping that we wouldnt have to check user permissions anytime a function is called from a button, but from what I've read on other forums and sites, it looks like you're right.
Paxenos
Anything running on the client side is untrusted - even assuming that the browser could somehow be told not to run javascript (it can't, and there are javascript: urls, firebug, web inspector, etc) you can't even be sure it's a real browser at the other end; remote requests cannot trusted, ever.
olliej
+2  A: 

Never trust data from the clients. Always validate data and permissions on the server side, where you are in control. Remember that the user (or any other application) can send to you whatever data they want to.

MattJ
+1  A: 

It doesn't matter what you do to lock down the interface via javascript, your data can always be manipulated somehow. There are various tools, such as fiddler which can be used to modify, or recreate postbacks/requests.

Even if you find a way to lock things down, you're in an arms race if your data is important enough to the attacker. The most viable option is to validate your input server side.

Gavin Miller