Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Thursday, April 28, 2011

I just posted about cross-site scripting, or XSS attacks, in ASP.NET - take a quick look at that post for some background on XSS attacks. I wanted to take a deeper look at Javascript Encoding XSS attacks. They're a particularly tricky form of XSS, since Javascript encoded values are valid HTML and will pass through default HTML encoding. Here's an example - let's assume we want to add a special welcome message to our home page if a UserName parameter is present so we can send out personalized links to the site in an e-mail promotion. We start by modifying the HomeController / Index method:

public ActionResult Index(string UserName)
{
    ViewBag.UserName = UserName;
    return View();
}

Then we add this information to the home index view, using Javascript so that we can make sure our users notice it:

Warning: Do not use this code - it's got an XSS vulnerability.

@{
    ViewBag.Title = "Home Page";
}
<h2 id="welcome-message">Welcome to our website</h2>

@if(!string.IsNullOrWhiteSpace(ViewBag.UserName)) {
<script type="text/javascript">
    $(function () {
        var message = 'Welcome, @ViewBag.UserName!';
        $("#welcome-message").html(message).hide().show('slow');
    });
</script>
}

Sadly, we've just exposed our end users to an XSS vulnerability. Nonsense, you say! We tested that with the following url: http://localhost:58570/?UserName=<script>alert('pwnd')</script>

As you can see, it was detected by request validation:

But since this value is being rendered via Javascript, it's vulnerable to Javascript encoding, which won't be picked up by the ASP.NET encoder. Try this url: http://localhost:58570/?UserName=Jon\x3cscript\x3e%20alert(\x27pwnd\x27)%20\x3c/script\x3e

Note: Remember that we're using an alert here for demonstration purposes, but a real XSS attack will do something more sinister, designed so end users will never notice.

Fixing the Javascript encoding XSS vulnerability

There are two ways to handle this. The simplest is to use the @Ajax.JavaScriptStringEncode helper function, like this:

@{
    ViewBag.Title = "Home Page";
}
<h2 id="welcome-message">Welcome to our website</h2>

@if(!string.IsNullOrWhiteSpace(ViewBag.UserName)) {
<script type="text/javascript">
    $(function () {
        var message = 'Welcome, @Ajax.JavaScriptStringEncode(ViewBag.UserName)!';
        $("#welcome-message").html(message).hide().show('slow');
    });
</script>
}

If we've included the AntiXSS library in our project, we can bring in the namespace with a @using Microsoft.Security.Application statement and call into the AntiXSS library's JavaScriptStringEncode function, which follows a whitelist approach to screen out alternate encodings and character sets.

@using Microsoft.Security.Application

@{
    ViewBag.Title = "Home Page";
}
<h2 id="welcome-message">Welcome to our website</h2>

@if(!string.IsNullOrWhiteSpace(ViewBag.UserName)) {
<script type="text/javascript">
    $(function () {
        var message = 'Welcome, @Encoder.JavaScriptEncode(ViewBag.UserName, false)!';
        $("#welcome-message").html(message).hide().show('slow');
    });
</script>
}

Note: By default, the AntiXSS JavaScriptEncode function wraps the value in single quotes. With AntiXSS 4.1, there's an optional second parameter which allows turning that behavior off by passing in false, as shown above.

With either of the above two checks in place, the Javascript XSS injection is caught:

26 Comments

thanks for shareing

westham - Friday, April 29, 2011 12:06:03 PM

Jon\x3cscript\x3e%20alert(\x27pwnd\x27)%20\x3c/script\x3e

fg - Friday, April 29, 2011 2:16:45 PM

@kkrasinski You had to try it, didn't you. ;-)

Jon Galloway - Friday, April 29, 2011 3:02:25 PM

AntiXSS library is nice, but average application wanna accept things like ? and maybe other characters. Not having //00xx in the middle of
the screen. And string.replace feels wrong, the weakest link rule kinda applies on this matter.

So how do you fix this?

bash - Wednesday, June 20, 2012 4:15:36 AM

Hello to every body, itÂ’s my first pay a visit of
this web site; this website carries amazing and genuinely
fine information in favor of visitors.
Around the globe, Online surfers seek ways to remain confidential
to the Web pages many people go to. Those same users are already looking for
strategies to access to well-liked Sites which can be clogged by overall sets of customers.
Individuals have got used the anonymizer and also Website proxies companies to live secret or get
at on the net TV, Xbox live Reside, Hulu, along with
key information internet sites from around the globe.

The favored Ruskies anonymizer vendor HideME.
ru provides as a final point developed a good Uk Internet site
with regard to their products and services referred
to as InCloak.internet. Â“Our providers allow for people to modify his or her
real Ip to some presented mysterious Ip address that
permits these to surf the Web safely and securely devoid of making a brief history along with obtain 100-percent access
to in the past obstructed Sites,Â” claimed a strong InCloak.

net consultant.

The actual InCloak.world wide web anonymizer makes it possible for the person to create a hosting server nation
with origin, pick virtually any obtainable IP address, filtration system malevolent
pieces of software, lower ad banners and include favorite and sometimes went to Web sites towards
programÂ’s alexa toolbar. Although the anonymizer works for a special preferred method, the
vendor supplies a electronic Non-public Circle (VPN) known
as OpenVPN. The VPN customer assistance presents greatest anonymity as well
as to safeguard all of programs that will use the Online through the
subscriberÂ’s computer system. Â“The major VPN edge on every proxy as well as anonymizer is
definitely the method it offers privacy plus
to safeguard the complete personal computer immediately,Â” said the
expert.

InCloak.internet provides Web page instruments such as World-wide-web proxies, proxy listing, Checker and even more
for as few as $0.2005 on a daily basis or even VPN access
at as low as $0.11 per day by using one-year dues.

Further blueprints include each day, month-to-month as
well as two-year subscriptions. Your advanced access system
gives total accessibility anonymizer (and also VPN,
if the value is usually bought with this alternative) with out restrictions
with use. A number of more features are also provided.

Stanfield - Wednesday, October 24, 2012 12:56:41 PM

performers for individuals ambitions not caring to tbeneficiaries

Gallagher - Tuesday, November 27, 2012 7:07:54 AM

Hi there, I read your blogs on a regular basis.
Your humoristic style is witty, keep up the
good work!

Decker - Thursday, February 21, 2013 12:25:54 AM

In fact no matter if someone doesn't understand then its up to other visitors that they will assist, so here it happens.

Howell - Tuesday, March 12, 2013 12:09:31 PM

The write-up offers established beneficial to myself.
It’s really educational and you're simply certainly quite experienced in this region. You possess exposed my own eye for you to different opinion of this specific matter using interesting and reliable content.

Nathan - Sunday, March 17, 2013 9:50:14 PM

Once the game is 80% complete you will need to work on the sound. they simply need to learn that you will not be able to appease everyone of your player-base. Next Jim Deacove developed a few of his own board games based on the principles of cooperation, group strategy and joint problem solving.

Jasper - Monday, April 15, 2013 2:19:28 AM

Wonderful article! That is the type of info that are supposed to be shared across the internet.

Shame on the search engines for no longer positioning this submit upper!
Come on over and discuss with my site . Thanks =)

Hobson - Monday, April 15, 2013 6:45:44 PM

Your should see something similar to the illustration above.
If you already have your Facebook fan or business page created you will need to have
25 fans or "LIKES" in order to create a custom URL. It allows you to see their picture and decide if
you should add them to your friends.

Dortch - Tuesday, April 16, 2013 3:16:18 PM

Multiplayer versions is more exciting as in this, you'll be able to team up or even contend with other participants to defeat the enemies. While having a passion for playing games is important, getting a rewarding career in game design will require students to be a cut above the competition. It can go as far as ruining their experience since it is the last interaction they have with a game.

Etheridge - Tuesday, April 16, 2013 3:27:29 PM

In most cases they are, but when it comes to updates,
patches, etc to the mmorpgs. If you don’t have much skill in programming, but
still think that creating and developing games is the most suitable for you, there are special courses that will
give you training in graphic designing, game development, and computer animation.
As ever we strive to help our customers make informed decisions and understand where their r4 cards are coming from.

Lavender - Tuesday, April 16, 2013 6:26:00 PM

Much like Safari, the Camera app, the App Store and i -
Pod, Game Center has no option to be deleted when editing your apps.
It should come as no surprise that i - Tunes is loaded full of pirate apps for i - Phone, i - Pod Touch, and i - Pad.
Are you a Kansas City Chiefs or Pittsburgh Steelers fan.

Pool - Wednesday, April 17, 2013 4:43:01 AM

Webcams can do a lot of things, such as video conferencing, virtual advertising, workplace or home surveillance, event broadcast, and
many other functions. On the bright side,
the actual functionality of the integration is perfect.

Up to five profiles can be stored on the gameboard at once and macros can be created while actually
gaming real time.

Pike - Friday, April 19, 2013 12:37:34 PM

Hi I am so glad I found your website, I really found you by error,
while I was researching on Yahoo for something else, Regardless I
am here now and would just like to say cheers for
a tremendous post and a all round thrilling blog
(I also love the theme/design), I don’t have time to read it all
at the minute but I have book-marked it and also added
in your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the excellent
jo.

Hayes - Friday, April 19, 2013 5:18:44 PM

Psychological Help, Tips and Advice, learn how to get
your Ex Boyfriend, Girlfriend, husband, wife or spouse back.
These are reaching thousands of people at a time who
recognize the self help benefits and pass them on to friends who
do the same and they become viral. Remember fall in
love poems should say the exact thing you feel without
hesitation and fear of being embarrassed, either you
write fall in love poems yourself or choose from the famous fall
in love poems.

Shuman - Friday, April 19, 2013 5:51:25 PM

May I simply say what a relief to discover somebody who truly understands what they're talking about over the internet. You definitely understand how to bring a problem to light and make it important. More and more people have to read this and understand this side of your story. I was surprised that you aren't more popular
since you certainly have the gift.

Bullard - Saturday, April 20, 2013 9:40:30 AM

How often have you bought headsets but discarded them after some time, once
they didn. Which means that you will only end up spending $47 on this unit.
Another great aspect of this remote is that it comes with a
recharging dock.

Messer - Saturday, April 20, 2013 9:58:12 AM

This has led to an explosion of new radio stations and new ways
to access existing radio stations with new facilities.
One thing about conventional radio that’s gotten quite annoying over
the years is that the networks have switched around trying to find programming so often that you don’t even know where to go for your
musical preference anymore. One of the very best reasons to include internet radio as
part of your online marketing plan is because of the search engine optimization opportunities.

Sheffield - Tuesday, April 23, 2013 1:47:11 AM

Inject some personality and colour into her eyewear with these Wayfarer sunglasses from Ray-ban. Made with impact resistant, optical precision lenses designed to be worn in moderate sunshine, these are great all year round. The recognisable branding adds a touch of classic appeal, whilst the pop of colour keeps them youthfu

bokal1@outlook.com - Thursday, May 9, 2013 6:47:29 PM

Having read this I believed it was very informative. I appreciate
you finding the time and energy to put this content
together. I once again find myself spending a significant
amount of time both reading and commenting. But so what, it was still worth it!

Potter - Saturday, May 11, 2013 5:45:55 PM

With internet radio, you get pretty much what you want, when you
want. The table top radio connects to the internet using Wi-Fi or Ethernet cable, and
searches for stations by country, genre or call letters.
Many think that having thoughts of supposed happiness that will never come
is futile and that they are only giving false hopes to those
who need them the most.

Held - Thursday, May 16, 2013 6:43:44 AM

With internet radio, you get pretty much what you want, when you
want. The table top radio connects to the internet using Wi-Fi or Ethernet cable, and
searches for stations by country, genre or call letters.
Many think that having thoughts of supposed happiness that will never come
is futile and that they are only giving false hopes to those
who need them the most.

Held - Thursday, May 16, 2013 2:00:52 PM

This article is really a fastidious one it helps new web
users, who are wishing for blogging.

Pickett - Friday, May 24, 2013 6:17:06 AM

Comments have been disabled for this content.