Cross Site Scripting (XSS): An Overview - Two Cases: True and False

(Page 4 of 5 )


 
CASE I: validateRequest="false"

If you don’t want input to be validated, then use following strategies to cope up with XSS:

HTML encode
      Not a sure shot method but still it is helpful in minimizing the harms of attack.

Replace
      Use some kind of Replace function to remove special characters that you think can harm your website. I use following Replace function in my (C#) code. You can use Replace function provided to you VB.Net as well.

 String mReplace(String strText,String strFind,String strReplace)
 {
     int iPos=strText.IndexOf(strFind);
     String strReturn="";
     while(iPos!=-1)
     {
       strReturn+=strText.Substring(0,iPos) + strReplace;
       strText=strText.Substring(iPos+strFind.Length);
       iPos=strText.IndexOf(strFind);
     }
     if(strText.Length>0)
       strReturn+=strText;
     return strReturn;
 }

            Call the function above for each of following special characters
      < > " ' % ; ) ( & +       
               and corresponding string(strReplace) that will replace it according to your code.

I like to use some special replacement for the above characters that look like the above special characters but have different meaning for the browser. You can use anything you like:

   strFind  strReplace
     ‘   `(Character along with ~)
      “   `(Character along with ~)
     <   «(ALT+174)
      >   »(ALT+175)

Caution:

While using HTMLEncode() or Replace(), keep in mind that these function may result in increasing the length of string if strReplace is longer then strFind. And then may cause the SQL Server error. So, if you need to validate the length of string do it after HTMLEncode() or Replace() function calls.

CASE II: validateRequest="true"

If you are using default input to be validated, then use following strategies to cope up with XSS:

Still use the Replace function like the one above to tackle with problem of SQLInjection. Especially, for single quote character (‘) as it is used as a delimiter in SQL. Single Quote character is not validated for input by .Net.

To trap the default error message you can follow either of following two ways:

1. Page_Error Method: For individual page only. Use this method if you want to write different error messages depending on different web pages.

  void Page_Error(object sender, EventArgs e)
   {
    Response.Write(“<B>Access Denied</B>”);
    Server.ClearError();
  }

2. Application_Error Method: For application level. To be added to Global.asax file. Note: If you are building web project then code behind of global.asax has this method defined. Just add your function body to tackle with the problem. Otherwise create a Global.asax file using text editor and embed following code into it.

             Use this method if you want to write common message for all the web pages.

            <script language="C#" runat="server">
  void Application_Error(object sender, EventArgs e)
   {
    Response.Write(“<B>Access Denied</B>”);
    Server.ClearError();
  }
                         </script>

Always Remember: Never display what user has entered without validating the input, even to let him know that he has tried XSS attack. If possible apply the Replace function even to the output.

Next: Conclusion and Checklist for Data ValidateRequest >>
 

More Windows Security Articles
More By Lisa Welch

Comments On: Cross Site Scripting (XSS): An Overview

>>> Be the FIRST to comment on this article!