In a previous blog entry, I highlighted a key web development security issue: XSS or Cross Site Scripting. I spoke mainly of case studies from Google websites/services (Security in Software As A Service (GOOGLE) - How Secure is the data and where is the Offline switch?) and the challenges with software as a service. Just so Google is not singled out for case studies on security issues, here is a link for issues in Firefox and the controversy stirred by this last year.
In any case, as a continuation of that and narrowing the focus on XSS this time around, I thought I'd write up a simplified entry on securing your ASP.NET site from XSS.
SCENARIO:
At some point in your ASP.NET code behind, you directly manipulated the user's input (whether it was textbox input, url, or even client cookies). For this example, we'll use a simplified and trivial case below:
string script = Request.QueryString["test"] as string;
But what you may end up with your application's response to the client is the following:
<html><head><script type="text/javascript">alert('42');</script></head></html>
where alert('42'); was the malicious script. So how does this apply to the real-world? Think of web forms..or better yet, think of blogs. Think of the post comments in the blog comments? (Ok, so maybe the first thing that comes to you mind is SQL injection when it comes to persistence of the comments. But XSS will also cross your mind).
Basically, anything in your site that involves outputting user input in some shape or form may be vulnerable. For ASP.NET developers, there is no need to hyperventilate just yet. ValidateRequest method in ASP.NET (PagesSection.ValidateRequest) is the method that handles the validation of your browser's request for dangerous values. As is called out as well on MSDN, this is not a complete blanket approach and you definitely will need to handle for your own specific security issues on top of this as well. Also, turning this feature(whether at the page level <@ page.., at the app level in web.config or worse yet, at the server level with machine.config) is NOT recommended. ASP.NET raises a HttpRequestValidationException if it encounters dangerous input. In these cases, you can refer to my blog entry on IIS custom errors to handle this and display the appropriate error page.
The nice thing about ASP.NET's built in security is that it covers simple cases such as the following:
- Providing script tags in your QueryString (i.e. <script type="text/javascript">alert('42')</script>)
- Providing script tags with URL encode for empty char (i.e. <%8fscript%20type="text/javascript"></script>)
RECOMMENDED RESOURCES AND LIBRARIES/FRAMEWORKS
Obviously, you still need to handle security issues specific to your website or application. So this is where a decent scripting library comes into play. Microsoft provides you with a free Anti-Cross Site Scripting Library in .NET. You can download it here (They also have an archived V1.0 in the MS downloads page. This link is for V1.5 which was published externally on 11/20/2006). This download comes with a decent help document and with accompanying samples as well. Obviously, as with any third party/outside libraries that you adopt into your own projects, you need to evaluate the impact properly. This may not suit the needs of your particular project and it will require a small investment in terms of research/investigation time. Ideally, you will want to become intimately familiar with libraries you use to help abstract your work. (HINT: Here comes another endorsement for Lutz Roeder's .NET Reflector).
The AntiXSS library provides the following functionality:
- HtmlAttributeEncode
- HtmlEncode
- JavaScriptEncode
- UrlEncode (NOTE: THIS IS NOT THE SAME AS THE ONE BUILT IN ASP.NET'S Server.UrlEncode)
- VisualBasicScriptEncode
- XmlAttributeEncode
- XmlEncode
A good resource for Script Exploits is: http://msdn2.microsoft.com/en-us/library/w1sw53ds(VS.80).aspx. Happy Securing your ASP.NET applications or web services. Another great paper on XSS can be found at: http://www.technicalinfo.net/papers/CSS.html.
While on the topic of securing your application (and more specifically, the security of your web service), you may want to dive into Microsoft's WSE 3.0. It is a free add-on to VS2005 and adds options to setting the security policies to your web service.