Paranoia: Cross Site Scripting

They’re watching you, you know that? They’ve been scoping you out for quite some time, looking at ways to screw with you and your site.

All right, you think your code is secure, eh? Got the latest handy-dandy encryption on your stuff, and you’re all up to snuff on your patches and service packs. But you know what? You’re making a critical blunder on your site, and you might not even know it.

The Problem

If you’re taking information passed in on a querystring and then you Response.Write it out on the page, uh-oh brother, you’ve got problems… You’re ripe for the picking with Cross Site Scripting. Unless you already know where I’m going with this, read on.

Say you’re passing a user’s first name around from one page to another and then are displaying that querystring value on the page with a Response.Write, you’re setting yourself up for disaster! Look at this innocent querystring:

http://whatzit.com/whatthe/WebForm1.aspx?fName=Lumpy 

You’re trying to make poor Lumpy’s user experience a little brighter, so you’re being nice and executing the following code:

Response.Write(\"Hello \" + Request.QueryString(\"fName\")); 

When you run this code you get the following output:

Hello Lumpy 

Here’s a look at the querystring that would produce the “Hello Lumpy” output:

http://whatzit.com/whatthe/WebForm1.aspx?fName=Lumpy 

But if I were the evil Eddie, I’d sneak a little bit of JavaScript in on you when you weren’t looking!

http://whatzit.com/whatthe/WebForm1.aspx?fName= <script language='javascript'>alert("beotch");</script> 

Guess what? If you paste this into your URL, the browser will popup a nice little box telling you “beotch” …er, whatever that means!

How in the world did this happen? Oh my! Any code you execute in JavaScript can be piped into your site using the Cross Site Scripting vulnerability.

Check out this URL…

http://whatzit.com/whatthe/WebForm1.aspx?fName=<script language='javascript'>window.navigate('http://mrPron');</script> 

Ok, yeah. Now it’s getting scary… ‘But,’ you’re thinking, ‘So what? I mean, who cares if I can paste in JavaScript onto someone’s site..?’ Well, wait a minute. Check out this next line… It’ll make you think.

<a href="http:// whatzit.com/whatthe/WebForm1.aspx?fName=<script language='javascript'>window.navigate('http://mrPron');</script>">Mole Hair Removal</a>

I send someone a seemingly valid link to a URL, and in fact, maybe they do make it to the site, but they also get something else… the nasty little JavaScript I’ve embedded in the link.

Pretty bad, eh? Imagine someone sends around your URL and the next thing the end user knows, they’re face to face with a bizarre picture depicting various unmentionables and bids for online casinos… You get the idea. Something you don’t want your Grandma to see when she’s expecting pictures of little Johnny…

So, how do you prevent Cross Site Scripting? Heh heh, I thought you’d never ask!

The Solution

First off, let’s get a couple of things straight — be smart, not stupid. Follow these simple rules:

  1. If you’re expecting a particular type of data, check to ensure that it is what you’re expecting.

  2. Check the length — if you expect a fName of only 25 characters, chop extra characters off and drop ‘em. Don’t give evil Eddie any sort of chance to do a lot of damage.

  3. Look for non-valid characters -– like < or > or the ubiquitous ;. Don’t just take whatever you get from the querystring; question all your input. Trust no one. Really.

Ok, here’s a smidget of code — obviously, you’ll want to flesh this out to fit your particular site:

private bool checkValueQS(string QS) 
{

Regex r = new Regex("[^0-9a-zA-Z]");

// Find a single match in the string.

Match m = r.Match(QS);  

if (m.Success)  

{

  return true;

}

return false;

}

This isn’t Rocket Science — it’s pretty easy in concept. All I’m doing is trying a NOT match against the numbers 0-9 and valid letters a-z and A-Z. Anything else is forbidden. You can then redirect your malicious end user who was trying to pass in the ‘ol script tags.

Try this the next time you want to check up on Lumpy:

private void Page_Load(object sender, System.EventArgs e) 

{

if (Request.QueryString["fName"] != null)

{                

if (checkValueQS(Request.QueryString["fName"].ToString()) == false)

 {

  Response.Write("Hello " + Request.QueryString["fName"]);

  }

  else

  {

  Response.Write("Hello... JERK!");

   }

}

}

Notice that if the end user does try to pass anything other than a number or an alpha, they get told off with a Response.Write("Hello... JERK");

Be careful of Cross Site Scripting. It’s a serious problem that can be dealt with easily. And remember, when it comes to user input, you can never be too paranoid… even if they are watching you.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

No Reader comments

Comments on this post are closed.