Tuesday, August 21, 2007

Script Exploits

Script exploits is the scenario where web application allows any user to insert malicious code (javascript) in the textbox controls in the web page and stores it in the DB. Now when the same information is sought by another user that malicious code gets executed and can create havoc because from the perspective of a browser, a Web page is simply a long string of characters. The browser processes the string sequentially, displaying some characters while interpreting other characters, such as <> and <> according to special rules. If a malicious user can insert some of those special characters into a page, the browser will not know that the characters are not supposed to be there, and it will process them as part of the page.

Protection

ASP.NET provides you with several ways to help protect against scripting exploits. It performs request validation against query-string and form variables as well as cookie values. By default, if the current Request contains HTML-encoded elements or certain HTML characters (such as — for an em dash), the ASP.NET page framework raises an error.But if you want your application to accept some HTML (for example, some formatting instructions from users), you should encode the HTML at the client before it is submitted to the server using Server.HtmlEncode method.And to display the same code that you have encode, you can use Server.HtmlDecode method to decode it.

Example:
string Str =Server.HtmlEncode("<>");
TextBox1.Text =Server.HtmlDecode(Str);

In the code above, HtmlEncode method will encode value of html tag <> to "<br>" and HtmlDecode method will decode it back to <>.

Note:
This example will only work if you disable request validation in the page by adding the @ Page attribute ValidateRequest="false". It is not recommended that you disable request validation in a production application, so make sure that you enable request validation again after viewing this example.

ValidateRequest

It indicates whether request validation should occur. If true, request validation checks all input data against a hard-coded list of potentially dangerous values. If a match occurs, an HttpRequestValidationException Class is thrown. The default is true.

Reference:
http://msdn2.microsoft.com/en-us/library/w1sw53ds.aspx

No comments: