Go Back   SitePoint Forums > Forum Index > Program Your Site > .NET
Reload this Page Paranoia: Cross Site Scripting
Newsletter FAQ Members List Calendar Mark Forums Read

New to SitePoint Forums? Register here for free!

SitePoint Sponsor
 
Reply
 
Thread Tools Display Modes
Old Aug 29, 2003, 17:23   #1
ArticleBot
SitePoint Articles
 
ArticleBot's Avatar
 
Join Date: Apr 2001
Posts: 0
Discussion thread for Paranoia: Cross Site Scripting
This is a dedicated thread for discussing the SitePoint article 'Paranoia: Cross Site Scripting'
ArticleBot is offline   Reply With Quote
Old Aug 29, 2003, 23:33   #2
mmj
Test cases complete. 0 fails.
 
mmj's Avatar
 
Join Date: Feb 2001
Location: Melbourne Australia
Posts: 6,721
An informative article. I see it as a rather long-winded way of saying "always validate your input".

Cross site scripting is a relatively harmless side-effect of not validating your input. Other side effects can be much worse. I'm referring to situations where you are using an input variable as part of a database query, or you are evaluating a string.

In my scripts (I use PHP), I use a function I created called load_var() to fetch variables from input variables, and validate them at the same time. For example, load_var('name', 'REQUEST', 'title') loads the variable 'name' from the request fields, and validates it against a pattern I have called 'title'. The 'title' pattern includes all letters, digits, spaces, and a few punctuation marks. If the variable contains any other digits, my function returns false. I have patterns for int, yesno, float, and so on. One pattern is called string, and it can include any data at all.

I think it's good practice to create a function like this. If you change your pattern matching requirements, for example, if you want to start allowing underscores in names, you only have to modify the validation code in one place.
mmj is offline   Reply With Quote
Old Aug 30, 2003, 09:34   #3
archigamer
.NET inside
 
archigamer's Avatar
 
Join Date: Jan 2002
Location: Strongsville OH
Posts: 1,588
if you are using asp.net properly (like not using Response.Write) you do not have to worry about this as much.

asp.net helps safeguard against this. one example can be seen in this thread

http://www.sitepointforums.com/showt...hreadid=125914
archigamer is offline   Reply With Quote
Old Dec 17, 2003, 16:01   #4
cejua
SitePoint Enthusiast
 
Join Date: Nov 2003
Location: US
Posts: 33
Quote:
Originally Posted by archigamer
if you are using asp.net properly (like not using Response.Write) you do not have to worry about this as much.

asp.net helps safeguard against this. one example can be seen in this thread

http://www.sitepointforums.com/showt...hreadid=125914
Yes - I think by default asp.net will not allow suspect stuff like opening and closing script tags (< ... >) in the address bar or submitted input fields which is a very good thing to have.

Also if you stick to using stored procedures and passing data via parameters, and execute permissions are only given to the sprocs, then potential for cross scripting is reduced.

This article on MSDN is pretty good. Framework 1.0 doesn't have ValidateRequest=true (it was introduced in 1.1) but you can implement it yourself if need be:
http://msdn.microsoft.com/asp.net/de...protection.asp
Last edited by cejua; Dec 22, 2003 at 04:45.
cejua is offline   Reply With Quote
Reply

Bookmarks

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Sponsored Links
 
Forum Jump


All times are GMT -7. The time now is 03:25.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Copyright 1998-2009, SitePoint Pty Ltd. All Rights Reserved