Windows Security
  Home arrow Windows Security arrow Page 3 - Cross Site Scripting (XSS): An Overview
ASP Free Forums 
.NET  
ASP  
ASP Code  
ASP.NET  
ASP.NET Code  
BrainDump  
C#  
Code Examples  
Database  
Database Code  
IIS  
Microsoft Access  
MS SQL Server  
Visual Basic.NET  
Windows Scripting  
Windows Security  
XML  
ASP Web Hosting  
ASP.NET Web Hosting 
Dedicated Servers 
Actuate Whitepapers 
VeriSign Whitepapers 
Windows Web Hosting
 
IBM® developerWorks 
Sun Developer Network 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us Get Paid 
Request Media Kit
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
WINDOWS SECURITY

Cross Site Scripting (XSS): An Overview
By: Lisa Welch
  • Search For More Articles!
  • Disclaimer
  • Author Terms
    		•
    Rating: 3 stars3 stars3 stars3 stars3 stars / 8
    2004-07-19

    Table of Contents:
  • Cross Site Scripting (XSS): An Overview
  • The Threats of Cross-site Scripting
  • Possible Solutions
  • Two Cases: True and False
  • Conclusion and Checklist for Data ValidateRequest
    		•

    Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
    		 
     
    ADVERTISEMENT

    Stay one step ahead of the competition. Evaluate and give feedback on some of the hottest web development tools on the market today. Make your opinion heard! Click Here

    Cross Site Scripting (XSS): An Overview - Possible Solutions
    (Page 3 of 5 )

    As a Web User:

    The first and most effective solution is to disable all scripting language support in your browser and email reader. But the method is not practical as almost all the websites need this to be enabled.

    Reasonable caution should be taken when clicking links in anonymous e-mails and dubious web pages.

    As a web user, you can’t do much to safeguard you against XSS but must pay extra attention while visiting new sites or following links posted on message boards and like. And as a rule never download files or follow links sent to you from some unknown source.

    As a Web Developer:

    As a first step, never compromise on validating input. If you are using post method for data submission then client side checks might be sufficient but it is all the more necessary to do server side validation if you are using Get method to retrieve data.

    For efficiency reasons use both server side and client side scripting.

    Even after all kinds of validation, do use some kind of HTML escaping must be done to avoid XSS.

    As a .Net Web Developer

    To protect against XSS attacks, the ASP.NET team has added a new feature to ASP.NET 1.1 called Request Validation. Request Validation checks the query string, form input, and other input data for indications of HTML elements, script blocks, or other potentially dangerous data. If such data is found, an exception of type HttpRequestValidationException is thrown.

    Request Validation is enabled by default, and can be disabled either at the application level using the validateRequest attribute of the <pages> configuration element:

    <page validateRequest="false"/>

    Or at the page level using the validateRequest attribute of the @ Page directive:

    <% @ Page ValidateRequest="false" %>

    Note:

    It is highly recommended that you do not disable Request Validation unless you have first ensured that all input to the page or application is being appropriately validated and/or filtered for potentially dangerous data. Failure to heed this recommendation can result in data loss or other serious security problems.

    If ValidateRequest is true, entering dangerous data would give a server error whenever user tries to enter malicious data. But you may not want your users to get an impression that it is your server which is at fault rather than his/her input.

    Next: Two Cases: True and False >>
     

    More Windows Security Articles
    More By Lisa Welch


     
    >>> Be the FIRST to comment on this article!

    WINDOWS SECURITY ARTICLES

    - Advanced Data Protection in Windows
    - Basic Data Protection in Windows
    - Windows XP Security
    - Lucky You, Microsoft has Sent You an Email! ...
    - Implementing a PKI, Part III: Managing Micro...
    - Windows 2000 Security
    - A Security Roadmap
    - Implementing a Public Key Infrastructure (PK...
    - Hardening Communications
    - Windows Host Security: Network Security Hacks
    - Hardening Wireless LAN Connections, Part 2
    - Hardening Wireless LAN Connections Part 1
    - Windows Reverse Engineering
    - Microsoft's Latest Security Updates -- The G...
    - Cross Site Scripting (XSS): An Overview
    Find More Windows Security Articles




    © 2003-2008 by Developer Shed. All rights reserved. DS Cluster 2 hosted by Hostway