Prevent Cross Site Scripting/HTML injection attacks with <%:

Wednesday, July 28, 2010

The intention of this article is to speak about the new <%: (Known as Code Nugget syntax) introduced in ASP.Net 4. As mentioned in the title, this will help developers to avoid cross site scripting (XSS) attacks.

What is Cross Site Scripting?

Lot of websites collects some sort of data from its users. Consider the below examples

· Forum / Community websites – that allows users to submit their views and display them in the website

· News websites – Allow visitors to put comment on the published news/articles

· Search in any website – Most of the websites have search functionality inside that collects user data.

and many more. All these data input mechanisms can be utilized by some intended users to inject some client side scripts to the page. When you are displaying the content directly to the page(assuming all my users are honest) the client side scripts will get executed and your website may display contents from other websites such as adult content, images, forms to capture critical user information etc.

Let us see the serious attack case that targets a financial institution or bank

Consider the search page in a typical bank website that accepts search words by query string. The website search in its database based on the query string parameter and displays the results to the user saying -Your search for “the word you have passed through query string” returns following results/no results.

Here is the trick, if user enter a script, it will execute in the page context. An intelligent hacker may create url with search string that contains script to show “enter username password window” from external website. The user will distribute such a formulated link in a beautiful email and if the user clicks on the link, it will ask username and password and some users will enter it without knowing he is entering his data to a remote site. (Since the address bar shows it is bank website, a typical user will not understand it is an iframe that imitated by the hacker)

To read more about cross site scripting read the Wikipedia article http://en.wikipedia.org/wiki/Cross-site_scripting

For the sake of the article, Let us assume that I have a public variable defined in the page named userInput. Check the following code that will execute the JavaScript in the client browser.

string userInput="<script>alert('I am vulnerable')</script>";

Now you are displaying the user input to the page using the following statement

<%=userInput%>

If you run the page, you see the JavaScript alert appears in the page. If you know more JavaScript, it is simple to display another website here using frame or some other techniques. Doing XSS is not part of this article, so I am just leaving it.

How to Stop Cross Site Scripting in Prior Versions

Make sure any data you are writing to the page is Html encoded. You need to use the HtmlEncode method of the Server class.

<% string userInput="<script>alert('I am not vulnerable')</script>"; %>

<%= Server.HtmlEncode(userInput)%>

Disadvantages in prior versions

So it can be eliminated, what is the problem here. Developers are facing the following two problems with the above approach.

Normally developers forget to use HtmlEncode – leaving their page ready to attack

If the text is already encoded, Server.HtmlEncode will again encode it.

See the following code

<% string userInput=Server.HtmlEncode("<script>alert('please don’t encode me multiple times')</script>"); %>

<%= Server.HtmlEncode(userInput)%>

Now the user will see multiple encoded userInput.

What is the solution in ASP.Net 4?

ASP.Net 4 introduces a new syntax for writing data to the pages. It is <%: %>. This is known as code nugget syntax. The functionality is similar to <%= %>, but this do the html encoding by default. You do not worry about cross site scripting any more if you are using this.

See the sample.

<% string userInput="<script>alert('I am not vulnerable')</script>"; %>

<%: userInput%>

Now the next step is to avoid encoding multiple times. This is a bit tricky. ASP.Net 4 has a new class “HtmlString” that represents an Html Encoded string that should not be encoded again. Read more from MSDN here http://msdn.microsoft.com/en-us/library/ee360280.aspx

So if you have an HtmlString object, it knows the string is encoded already and <%: will not encode it again.

<% HtmlString userInput = new HtmlString(Server.HtmlEncode("<script>alert('I am not vulnerable and not multi encoded')</script>"));%>

<%: userInput%>

Conclusion

Developers can make use of <%: to render content to the page. Developers can search their project and make sure they are using <%: instead of <%=.

Nice article did not know they added that. I believe you shouldn't have the HtmlEncode in the "what not" to do section.

sillychicken - Wednesday, August 18, 2010 1:22:03 AM

I'd suggest you update this article to be correct.
You encoded the variable in the first example, so it wouldn't have executed. Run this in your browser and you'll find the first example won't execute the script at all.

Anon - Tuesday, May 10, 2011 1:58:31 PM

Thanks for the comments, I have corrected it..

sreejukg - Wednesday, May 11, 2011 5:42:04 PM