Paranoia: Cross Site Scripting
They’re watching you, you know that? They’ve been scoping you out for quite some time, looking at ways to screw with you and your site.
All right, you think your code is secure, eh? Got the latest handy-dandy encryption on your stuff, and you’re all up to snuff on your patches and service packs. But you know what? You’re making a critical blunder on your site, and you might not even know it.
If you’re taking information passed in on a querystring and then you
Response.Write it out on the page, uh-oh brother, you’ve got problems… You’re ripe for the picking with Cross Site Scripting. Unless you already know where I’m going with this, read on.
Say you’re passing a user’s first name around from one page to another and then are displaying that querystring value on the page with a
Response.Write, you’re setting yourself up for disaster! Look at this innocent querystring:
You’re trying to make poor Lumpy’s user experience a little brighter, so you’re being nice and executing the following code:
Response.Write(\"Hello \" + Request.QueryString(\"fName\"));
When you run this code you get the following output:
Here’s a look at the querystring that would produce the “Hello Lumpy” output:
Guess what? If you paste this into your URL, the browser will popup a nice little box telling you “beotch” …er, whatever that means!
Check out this URL…
Pretty bad, eh? Imagine someone sends around your URL and the next thing the end user knows, they’re face to face with a bizarre picture depicting various unmentionables and bids for online casinos… You get the idea. Something you don’t want your Grandma to see when she’s expecting pictures of little Johnny…
So, how do you prevent Cross Site Scripting? Heh heh, I thought you’d never ask!
First off, let’s get a couple of things straight — be smart, not stupid. Follow these simple rules:
- If you’re expecting a particular type of data, check to ensure that it is what you’re expecting.
- Check the length — if you expect a fName of only 25 characters, chop extra characters off and drop ’em. Don’t give evil Eddie any sort of chance to do a lot of damage.
- Look for non-valid characters -â€“ like
>or the ubiquitous
;. Don’t just take whatever you get from the querystring; question all your input. Trust no one. Really.
Ok, here’s a smidget of code — obviously, you’ll want to flesh this out to fit your particular site:
private bool checkValueQS(string QS)
Regex r = new Regex("[^0-9a-zA-Z]");
// Find a single match in the string.
Match m = r.Match(QS);
This isn’t Rocket Science — it’s pretty easy in concept. All I’m doing is trying a NOT match against the numbers 0-9 and valid letters a-z and A-Z. Anything else is forbidden. You can then redirect your malicious end user who was trying to pass in the ‘ol script tags.
Try this the next time you want to check up on Lumpy:
private void Page_Load(object sender, System.EventArgs e)
if (Request.QueryString["fName"] != null)
if (checkValueQS(Request.QueryString["fName"].ToString()) == false)
Response.Write("Hello " + Request.QueryString["fName"]);
Notice that if the end user does try to pass anything other than a number or an alpha, they get told off with a
Be careful of Cross Site Scripting. It’s a serious problem that can be dealt with easily. And remember, when it comes to user input, you can never be too paranoid… even if they are watching you.