Cross Site Scripting or XSS is one of the major OWASP security risks (found article about Top 10 OWASP security risks), generally found in web applications. Through Cross site scripting, hackers can inject client side script (HTML or CSS or JavaScript) into web pages and attackers can bypass the users to malicious web sites where user information can be stolen.
Let’s discuss about Cross Site Scripting(XSS) with simple example where users provide their feedback on the service you provided and we have to display all the feedback information on the grid which is common for all users. Open Microsoft Visual Studio 2015 -> Create new Asp.Net web application. Design the feedback form as shown below.
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" ValidateRequest="false" Inherits="XSSExample.WebForm1" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Label ID="lblName" runat="server" Text="Name:"></asp:Label>
<asp:TextBox ID="txtName" runat="server"></asp:TextBox>
<br />
<br />
<asp:Label ID="lblFeedback" runat="server" Text="Feedback: "></asp:Label>
<asp:TextBox ID="txtFeedback" TextMode="MultiLine" runat="server"></asp:TextBox>(You can use html tags)
<br />
<br />
<asp:Button Text="Save Feedback" runat="server" ID="btnSave" OnClick="btnSave_Click" />
<br />
<br />
<br />
<br />
<asp:ListView ID="lvFeddbacks" runat="server">
<LayoutTemplate>
<table border="1">
<tr>
<th>Name</th>
<th>Message</th>
</tr>
<asp:PlaceHolder ID="itemPlaceholder" runat="server"></asp:PlaceHolder>
</table>
</LayoutTemplate>
<ItemTemplate>
<tr>
<td>
<%# Eval("Name") %>
</td>
<td>
<%# Eval("Message") %>
</td>
</tr>
</ItemTemplate>
</asp:ListView>
</div>
</form>
</body>
</html>
As shown above we have made the ValidateRequest to false to allow the html input in the feedback. Let’s save the user feedbacks in any XML file as shown below. You can save in any data source as you like.
using System;
using System.Data;
using System.Xml;
namespace XSSExample
{
public partial class WebForm1 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
Display();
}
}
protected void btnSave_Click(object sender, EventArgs e)
{
string sFile = Server.MapPath("Feedbacks.xml");
XmlDocument xdoc = new XmlDocument();
xdoc.Load(sFile);
XmlNode root = xdoc.DocumentElement;
XmlElement xelement = xdoc.CreateElement("Feedback");
XmlElement xName = xdoc.CreateElement("Name");
xName.InnerText = txtName.Text;
xelement.AppendChild(xName);
XmlElement xFeedback = xdoc.CreateElement("Message");
xFeedback.InnerText = txtFeedback.Text;
xelement.AppendChild(xFeedback);
root.AppendChild(xelement);
xdoc.Save(sFile);
Display();
}
private void Display()
{
try
{
DataSet ds = new DataSet();
ds.ReadXml(Server.MapPath("Feedbacks.xml"));
lvFeddbacks.DataSource = ds.Tables[0];
lvFeddbacks.DataBind();
}
catch(Exception ex)
{
}
}
}
}
Here we are saving feedbacks in XML file and displaying these feedbacks in a Asp.Net Listview which displays output as below.
As you see, second feedback uses html tag <b> to make the content bold. It works well for if user enters simple text or html as feedback, problem is when users uses javascript content in the feedback.
For example, if user enters the javascript content as "Good…<script>window.location.href='https://www.google.com'</script>" in the feedback, it saves in the XML file perfectly because we are allowing html tags by making ValidateRequest to false. But all users who opens your application will redirect to https://www.google.com, this is called Cross Site Scripting or XSS. Here we just used the google.com in the script, but hackers will use malicious web site URL and all your users will redirect to malicious website whenever they open your application. Please find below for the source code, remove the Hacker comment from Feedbacks.xml file to avoid the navigation to google.com.
In my next article how to solve the Cross Site Scripting (XSS) problem by using Microsoft Anti Cross Site Scripting framework.