My Web App.'s Log

Tuesday, September 20, 2005

Cross-Site Scripting Protection

This is an article about cross-site scripting protection from MSDN
http://http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/scriptingprotection.asp


Adding Cross-Site Scripting Protection to ASP.NET 1.0

Scott HanselmanChief ArchitectCorillian Corporation
November 2003
Summary: ASP.NET 1.1 added the ValidateRequest attribute to protect your site from cross-site scripting. What do you do, however, if your Web site is still running ASP.NET 1.0? Scott Hanselman shows how you can add similar functionality to your ASP.NET 1.0 Web sites. (12 printed pages)
Contents
The ProblemC#-Eye for the IL GuyHttpModuleProgrammer IntentInstallation and ConfigurationThe ResultsConclusion
The Problem
I've got a customer that has deployed a site on Microsoft® ASP.NET and the Microsoft® .NET Framework 1.0. It's a large site, and they are a large customer, and as a large customer they tend to move, well, slow. We were in the middle of a large deployment when ASP.NET/Framework 1.1 came out. The team felt that it was too risky to move everything over to ASP.NET/Framework 1.1 so close to the finish line. So we decided to move to ASP.NET/Framework 1.1 later in the year. However, since we build complex e-banking Web sites that cross many lines of business and deal with folks' money, security is job #1 (or job #0 if you're zero based). The client has a requirement that we deal with cross-site scripting (often called "XSS") attacks aggressively.
XSS is a particularly sinister kind of hacking, where an l33t hx0r (elite hacker) or a "script kiddie" tries to retrieve personal information or fool a site into doing something it shouldn't do by entering JavaScript into a Web Form, or by encoding the script into a parameter in the URL. A simple example is a Web Form that has a single text box and a single button. The user enters their name into the text box and submits the form. The page then prints out "Hello firstname" by string concatenation, String.Format, a Response.Write or through a server-side label.



posted by Kent @ 12:30 AM

0 Comments:

Post a Comment

<< Home