Tiberius OsBurnTiberius OsBurn

Paranoia: Cross Site Scripting

ASP.NETProgramming

Share this article

They’re watching you, you know that? They’ve been scoping you out for quite some time, looking at ways to screw with you and your site.

All right, you think your code is secure, eh? Got the latest handy-dandy encryption on your stuff, and you’re all up to snuff on your patches and service packs. But you know what? You’re making a critical blunder on your site, and you might not even know it.

The Problem

If you’re taking information passed in on a querystring and then you Response.Write it out on the page, uh-oh brother, you’ve got problems… You’re ripe for the picking with Cross Site Scripting. Unless you already know where I’m going with this, read on.

Say you’re passing a user’s first name around from one page to another and then are displaying that querystring value on the page with a Response.Write, you’re setting yourself up for disaster! Look at this innocent querystring: 

http://whatzit.com/whatthe/WebForm1.aspx?fName=Lumpy

You’re trying to make poor Lumpy’s user experience a little brighter, so you’re being nice and executing the following code: 

Response.Write(\"Hello \" + Request.QueryString(\"fName\"));

When you run this code you get the following output: 

Hello Lumpy

Here’s a look at the querystring that would produce the “Hello Lumpy” output: 

http://whatzit.com/whatthe/WebForm1.aspx?fName=Lumpy

But if I were the evil Eddie, I’d sneak a little bit of JavaScript in on you when you weren’t looking! 

http://whatzit.com/whatthe/WebForm1.aspx?fName= <script language='javascript'>alert("beotch");</script>

Guess what? If you paste this into your URL, the browser will popup a nice little box telling you “beotch” …er, whatever that means!

How in the world did this happen? Oh my! Any code you execute in JavaScript can be piped into your site using the Cross Site Scripting vulnerability.

Check out this URL… 

http://whatzit.com/whatthe/WebForm1.aspx?fName=<script language='javascript'>window.navigate('http://mrPron');</script>

Ok, yeah. Now it’s getting scary… ‘But,’ you’re thinking, ‘So what? I mean, who cares if I can paste in JavaScript onto someone’s site..?’ Well, wait a minute. Check out this next line… It’ll make you think. 

<a href="http:// whatzit.com/whatthe/WebForm1.aspx?fName=<script language='javascript'>window.navigate('http://mrPron');</script>">Mole Hair Removal</a>

I send someone a seemingly valid link to a URL, and in fact, maybe they do make it to the site, but they also get something else… the nasty little JavaScript I’ve embedded in the link.

Pretty bad, eh? Imagine someone sends around your URL and the next thing the end user knows, they’re face to face with a bizarre picture depicting various unmentionables and bids for online casinos… You get the idea. Something you don’t want your Grandma to see when she’s expecting pictures of little Johnny…

So, how do you prevent Cross Site Scripting? Heh heh, I thought you’d never ask!

The Solution

First off, let’s get a couple of things straight — be smart, not stupid. Follow these simple rules:

  1. If you’re expecting a particular type of data, check to ensure that it is what you’re expecting.
  • Check the length — if you expect a fName of only 25 characters, chop extra characters off and drop ’em. Don’t give evil Eddie any sort of chance to do a lot of damage.
  • Look for non-valid characters -– like < or > or the ubiquitous ;. Don’t just take whatever you get from the querystring; question all your input. Trust no one. Really.

    • Ok, here’s a smidget of code — obviously, you’ll want to flesh this out to fit your particular site:

    private bool checkValueQS(string QS) 
    
{ 
    
 
    
Regex r = new Regex("[^0-9a-zA-Z]"); 
    
 
    
// Find a single match in the string. 
    
 
    
Match m = r.Match(QS);  
    
 
    
if (m.Success)  
    
 
    
{ 
    
 
    
   return true; 
    
 
    
} 
    
 
    
return false; 
    
 
    
}

    This isn’t Rocket Science — it’s pretty easy in concept. All I’m doing is trying a NOT match against the numbers 0-9 and valid letters a-z and A-Z. Anything else is forbidden. You can then redirect your malicious end user who was trying to pass in the ‘ol script tags.

    Try this the next time you want to check up on Lumpy:

    private void Page_Load(object sender, System.EventArgs e) 
    
 
    
{ 
    
 
    
if (Request.QueryString["fName"] != null) 
    
 
    
{                 
    
 
    
if (checkValueQS(Request.QueryString["fName"].ToString()) == false) 
    
 
    
  { 
    
 
    
   Response.Write("Hello " + Request.QueryString["fName"]); 
    
 
    
   } 
    
 
    
   else 
    
 
    
   { 
    
 
    
   Response.Write("Hello... JERK!"); 
    
 
    
    } 
    
 
    
} 
    
 
    
}

    Notice that if the end user does try to pass anything other than a number or an alpha, they get told off with a Response.Write("Hello... JERK");

    Be careful of Cross Site Scripting. It’s a serious problem that can be dealt with easily. And remember, when it comes to user input, you can never be too paranoid… even if they are watching you.

    Tiberius OsBurnTiberius OsBurn
    View Author

    Tiberius is a .NET evangelist and author of many articles dealing with .NET in the 'real world'. Mr. OsBurn's Website can be found at https://tiberi.us

    Share this article
    SitePoint Premium
    Read Next
    Get the freshest news and resources for developers, designers and digital creators in your inbox each week
    Loading form
    SitePointStart Free Trial
    Stuff we do
    PremiumNewslettersLearning pathsLibraryForums
    Contact
    Contact usFAQPublish your book with usWrite an article with usAdvertise
    About
    Our storyCorporate membershipsTerms of usePrivacy policy
    Connect
    RSSFacebookInstagramTwitter (X)
    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    © 2000 – 2024 SitePoint Pty. Ltd.