Preventing Javascript Encoding XSS attacks in ASP.NET MVC - Jon Galloway

Preventing Javascript Encoding XSS attacks in ASP.NET MVC

I just posted about cross-site scripting, or XSS attacks, in ASP.NET  - take a quick look at that post for some background on XSS attacks. I wanted to take a deeper look at Javascript Encoding XSS attacks. They're a particularly tricky form of XSS, since Javascript encoded values are valid HTML and will pass through default HTML encoding. Here's an example - let's assume we want to add a special welcome message to our home page if a UserName parameter is present so we can send out personalized links to the site in an e-mail promotion. We start by modifying the HomeController / Index method:

public ActionResult Index(string UserName)
{
    ViewBag.UserName = UserName;
    return View();
}

Then we add this information to the home index view, using Javascript so that we can make sure our users notice it:

Warning: Do not use this code - it's got an XSS vulnerability.

@{
    ViewBag.Title = "Home Page";
}
<h2 id="welcome-message">Welcome to our website</h2>

@if(!string.IsNullOrWhiteSpace(ViewBag.UserName)) {
<script type="text/javascript">
    $(function () {
        var message = 'Welcome, @ViewBag.UserName!';
        $("#welcome-message").html(message).hide().show('slow');
    });
</script>
}

Sadly, we've just exposed our end users to an XSS vulnerability. Nonsense, you say! We tested that with the following url: http://localhost:58570/?UserName=<script>alert('pwnd')</script>

As you can see, it was detected by request validation:

2011-04-28 11h03_54

But since this value is being rendered via Javascript, it's vulnerable to Javascript encoding, which won't be picked up by the ASP.NET encoder. Try this url: http://localhost:58570/?UserName=Jon\x3cscript\x3e%20alert(\x27pwnd\x27)%20\x3c/script\x3e

2011-04-28 11h09_15

Note: Remember that we're using an alert here for demonstration purposes, but a real XSS attack will do something more sinister, designed so end users will never notice.

Fixing the Javascript encoding XSS vulnerability

There are two ways to handle this. The simplest is to use the @Ajax.JavaScriptStringEncode helper function, like this:

@{
    ViewBag.Title = "Home Page";
}
<h2 id="welcome-message">Welcome to our website</h2>

@if(!string.IsNullOrWhiteSpace(ViewBag.UserName)) {
<script type="text/javascript">
    $(function () {
        var message = 'Welcome, @Ajax.JavaScriptStringEncode(ViewBag.UserName)!';
        $("#welcome-message").html(message).hide().show('slow');
    });
</script>
}

If we've included the AntiXSS library in our project, we can bring in the namespace with a @using Microsoft.Security.Application statement and call into the AntiXSS library's JavaScriptStringEncode function, which follows a whitelist approach to screen out alternate encodings and character sets.

@using Microsoft.Security.Application

@{
    ViewBag.Title = "Home Page";
}
<h2 id="welcome-message">Welcome to our website</h2>

@if(!string.IsNullOrWhiteSpace(ViewBag.UserName)) {
<script type="text/javascript">
    $(function () {
        var message = 'Welcome, @Encoder.JavaScriptEncode(ViewBag.UserName, false)!';
        $("#welcome-message").html(message).hide().show('slow');
    });
</script>
}

Note: By default, the AntiXSS JavaScriptEncode function wraps the value in single quotes. With AntiXSS 4.1, there's an optional second parameter which allows turning that behavior off by passing in false, as shown above.

With either of the above two checks in place, the Javascript XSS injection is caught:

2011-04-28 11h22_21

Published Thursday, April 28, 2011 11:30 AM by Jon Galloway

Comments

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

thanks for shareing

Friday, April 29, 2011 3:06 PM by westham

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Jon\x3cscript\x3e%20alert(\x27pwnd\x27)%20\x3c/script\x3e

Friday, April 29, 2011 5:16 PM by kkarasinski

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

@kkrasinski You had to try it, didn't you. ;-)

Friday, April 29, 2011 6:02 PM by Jon Galloway

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

AntiXSS library is nice, but average application wanna accept things like ? and maybe other characters. Not having //00xx in the middle of

the screen. And string.replace feels wrong, the weakest link rule kinda applies on this matter.

So how do you fix this?

Wednesday, June 20, 2012 7:15 AM by bash

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Hello to every body, itÂ’s my first pay a visit of

this web site; this website carries amazing and genuinely

fine information in favor of visitors.

Around the globe, Online surfers seek ways to remain confidential

to the Web pages many people go to. Those same users are already looking for

strategies to access to well-liked Sites which can be clogged by overall sets of customers.

Individuals have got used the anonymizer and also Website proxies companies to live secret or get

at on the net TV, Xbox live Reside, Hulu, along with

key information internet sites from around the globe.

The favored Ruskies anonymizer vendor HideME.

ru provides as a final point developed a good Uk Internet site

with regard to their products and services referred

to as InCloak.internet. “Our providers allow for people to modify his or her

real Ip to some presented mysterious Ip address that

permits these to surf the Web safely and securely devoid of making a brief history along with obtain 100-percent access

to in the past obstructed Sites,” claimed a strong InCloak.

net consultant.

The actual InCloak.world wide web anonymizer makes it possible for the person to create a hosting server nation

with origin, pick virtually any obtainable IP address, filtration system malevolent

pieces of software, lower ad banners and include favorite and sometimes went to Web sites towards

programÂ’s alexa toolbar. Although the anonymizer works for a special preferred method, the

vendor supplies a electronic Non-public Circle (VPN) known

as OpenVPN. The VPN customer assistance presents greatest anonymity as well

as to safeguard all of programs that will use the Online through the

subscriber’s computer system. “The major VPN edge on every proxy as well as anonymizer is

definitely the method it offers privacy plus

to safeguard the complete personal computer immediately,” said the

expert.

InCloak.internet provides Web page instruments such as World-wide-web proxies, proxy listing, Checker and even more

for as few as $0.2005 on a daily basis or even VPN access

at as low as $0.11 per day by using one-year dues.

Further blueprints include each day, month-to-month as

well as two-year subscriptions. Your advanced access system

gives total accessibility anonymizer (and also VPN,

if the value is usually bought with this alternative) with out restrictions

with use. A number of more features are also provided.

Wednesday, October 24, 2012 3:56 PM by Stanfield

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

performers for individuals ambitions not caring to tbeneficiaries

Tuesday, November 27, 2012 10:07 AM by Gallagher

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Hi there, I read your blogs on a regular basis.

Your humoristic style is witty, keep up the

good work!

Thursday, February 21, 2013 3:25 AM by Decker

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

In fact no matter if someone doesn't understand then its up to other visitors that they will assist, so here it happens.

Tuesday, March 12, 2013 3:09 PM by Howell

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

The write-up offers established beneficial to myself.

It’s really educational and you're simply certainly quite experienced in this region. You possess exposed my own eye for you to different opinion of this specific matter using interesting and reliable content.

Monday, March 18, 2013 12:50 AM by Nathan

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

But with Nexus Radio the only settings you have to worry about are where you

want to save your files and what file type you want to save

it as. Next, build a list of prospects and

develop a relationship with those prospects on your list.

But mostly BBC Radios 4 and 5 because, being speech orientated, they're more like what I do, so I can learn lots from them.

Friday, April 12, 2013 5:26 PM by Lau

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Once the game is 80% complete you will need to work on the sound. they simply need to learn that you will not be able to appease everyone of your player-base. Next Jim Deacove developed a few of his own board games based on the principles of cooperation, group strategy and joint problem solving.

Monday, April 15, 2013 5:19 AM by Jasper

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Wonderful article! That is the type of info that are supposed to be shared across the internet.

Shame on the search engines for no longer positioning this submit upper!

Come on over and discuss with my site . Thanks =)

Monday, April 15, 2013 9:45 PM by Hobson

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Your should see something similar to the illustration above.

If you already have your Facebook fan or business page created you will need to have

25 fans or "LIKES" in order to create a custom URL. It allows you to see their picture and decide if

you should add them to your friends.

Tuesday, April 16, 2013 6:16 PM by Dortch

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Multiplayer versions is more exciting as in this, you'll be able to team up or even contend with other participants to defeat the enemies. While having a passion for playing games is important, getting a rewarding career in game design will require students to be a cut above the competition. It can go as far as ruining their experience since it is the last interaction they have with a game.

Tuesday, April 16, 2013 6:27 PM by Etheridge

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

In most cases they are, but when it comes to updates,

patches, etc to the mmorpgs. If you don’t have much skill in programming, but

still think that creating and developing games is the most suitable for you, there are special courses that will

give you training in graphic designing, game development, and computer animation.

As ever we strive to help our customers make informed decisions and understand where their r4 cards are coming from.

Tuesday, April 16, 2013 9:26 PM by Lavender

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Much like Safari, the Camera app, the App Store and i -

Pod, Game Center has no option to be deleted when editing your apps.

It should come as no surprise that i - Tunes is loaded full of pirate apps for i - Phone, i - Pod Touch, and i - Pad.

Are you a Kansas City Chiefs or Pittsburgh Steelers fan.

Wednesday, April 17, 2013 7:43 AM by Pool

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Webcams can do a lot of things, such as video conferencing, virtual advertising, workplace or home surveillance, event broadcast, and

many other functions. On the bright side,

the actual functionality of the integration is perfect.

Up to five profiles can be stored on the gameboard at once and macros can be created while actually

gaming real time.

Friday, April 19, 2013 3:37 PM by Pike

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Hi I am so glad I found your website, I really found you by error,

while I was researching on Yahoo for something else, Regardless I

am here now and would just like to say cheers for

a tremendous post and a all round thrilling blog

(I also love the theme/design), I don’t have time to read it all

at the minute but I have book-marked it and also added

in your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the excellent

jo.

Friday, April 19, 2013 8:18 PM by Hayes

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Psychological Help, Tips and Advice, learn how to get

your Ex Boyfriend, Girlfriend, husband, wife or spouse back.

These are reaching thousands of people at a time who

recognize the self help benefits and pass them on to friends who

do the same and they become viral. Remember fall in

love poems should say the exact thing you feel without

hesitation and fear of being embarrassed, either you

write fall in love poems yourself or choose from the famous fall

in love poems.

Friday, April 19, 2013 8:51 PM by Shuman

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

May I simply say what a relief to discover somebody who truly understands what they're talking about over the internet. You definitely understand how to bring a problem to light and make it important. More and more people have to read this and understand this side of your story. I was surprised that you aren't more popular

since you certainly have the gift.

Saturday, April 20, 2013 12:40 PM by Bullard

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

How often have you bought headsets but discarded them after some time, once

they didn. Which means that you will only end up spending $47 on this unit.

Another great aspect of this remote is that it comes with a

recharging dock.

Saturday, April 20, 2013 12:58 PM by Messer

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

This has led to an explosion of new radio stations and new ways

to access existing radio stations with new facilities.

One thing about conventional radio that’s gotten quite annoying over

the years is that the networks have switched around trying to find programming so often that you don’t even know where to go for your

musical preference anymore. One of the very best reasons to include internet radio as

part of your online marketing plan is because of the search engine optimization opportunities.

Tuesday, April 23, 2013 4:47 AM by Sheffield

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Inject some personality and colour into her eyewear with these Wayfarer sunglasses from Ray-ban. Made with impact resistant, optical precision lenses designed to be worn in moderate sunshine, these are great all year round. The recognisable branding adds a touch of classic appeal, whilst the pop of colour keeps them youthfu

Thursday, May 9, 2013 9:47 PM by bokal1@outlook.com

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Having read this I believed it was very informative. I appreciate

you finding the time and energy to put this content

together. I once again find myself spending a significant

amount of time both reading and commenting. But so what, it was still worth it!

Saturday, May 11, 2013 8:45 PM by Potter

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

With internet radio, you get pretty much what you want, when you

want. The table top radio connects to the internet using Wi-Fi or Ethernet cable, and

searches for stations by country, genre or call letters.

Many think that having thoughts of supposed happiness that will never come

is futile and that they are only giving false hopes to those

who need them the most.

Thursday, May 16, 2013 9:43 AM by Held

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

With internet radio, you get pretty much what you want, when you

want. The table top radio connects to the internet using Wi-Fi or Ethernet cable, and

searches for stations by country, genre or call letters.

Many think that having thoughts of supposed happiness that will never come

is futile and that they are only giving false hopes to those

who need them the most.

Thursday, May 16, 2013 5:00 PM by Held

# re: Preventing Javascript Encoding XSS attacks in ASP.NET MVC

This article is really a fastidious one it helps new web

users, who are wishing for blogging.

Friday, May 24, 2013 9:17 AM by Pickett