Avoiding Cross Site Scripting Exploits (Xss) in Asp .Net 2.0

You’ve probably heard about cross site scripting exploits that hackers have been using to take control of computers for some time now and how they work is this:

A hacker realises that your site uses user input in the page display. This is a common in pages that take user details and such.  If such input isn’t checked, they can enter javascript code as input and when your site displays it back, the browser will execute it as code. This is a particular problem when answers are saved to the database and can be displayed to -other- users, causing their browser to do all sorts of strange things.

Asp .Net 2 helps you solve that problem in a very simple way.

Many common controls now, such as the literal control and the label control – controls commonly used for displaying output to the user – have an attribute “mode”.  This attribute can be set to “Encode” which ensures that any html characters found inside the Text attribute (such as ‘<‘ and ‘>’) that would, if displayed normally, cause the browser to take some action or other, such as running a script, will be output as their percentage character code (an example is %20 for space, often used in filenames in html).  This ensures that script, if entered, will not be run as such.

Not all controls provide this functionality though, so there is another option. Asp .Net 2.0 provides a HttpUtility class, and one of its methods is the HttpEncode method, which, as above, will render provided text safe for display.

A lot of big sites have been caught by xss errors and they can creep in very easily. These are simple ways to minimize the risk with very little extra work.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s