Basics of Cross Site Scripting (XSS) Attack on Web Applications

Introduction

I would like to share the basics of XSS attacks on web applications.

Injection of client-side scripts into a website is known as Cross-site scripting. These scripts can be HTML scripts or JavaScript scripts.

There might be various ways to inject a script into a browser like an attacker can inject JavaScript from a TextBox or from a query string and so on.

Description of attack

By default XSS attacks are prevented by ASP.Net.

I created a sample application to test an XSS attack. I used the following procedure.

1. Created a ASPX page having the following code for the page load.

protected void Page_Load(object sender, EventArgs e)

{

    String reqid = Request.QueryString["reqid "] as string;

     if (id == null)

     {

        lblmsg.Text = " Default text without any attack";

     } 

    else

    {

        lblmsg.Text = reqid;

    }

}

2. The following will be the output after running the application.

Running application
3. Modify the URL to http://localhost:56573/XssTest.aspx?id=<h3>Hello from XSS"</h3> and paste it into the browser.
 
4. We will get the following screen that Request Validation has detected, a potentially dangerous client input value, and the processing of the request has been aborted.

Request Validation
 
5. So by default request validation has been implemented by ASP.Net. (We can however disable it with some configuration changes in the application.)
 
6. The following describes how to disable the Request validation in ASP.Net.

Insert the following lines in the web.config file to enable request validation:

  • <httpRuntime requestValidationMode="2.0" />
  • <pages validateRequest="false"/>   // for all pages in applications
  • At page level we can use validateRequest = false.

Aspx Code

Modify the URL to http://localhost:56573/XssTest.aspx?id=<h3>Hello from XSS"</h3> and paste it into the browser.

We will get the following screen  (we are now able to produce an XSS attack):

XSS attack
If  ValidateRequest = false is set at the page level then we need to handle these types of input (script) manually at the code level. 
 
References

The following provides more help for request validation:

Conclusion

By default XSS attacks are prevented by ASP.Net so ensure that it is enabled every time. By default it is enabled by ASP.Net.