Friday, January 16, 2009

HTML Injection

Now I would like to share another interesting thing in web application. That is HTML Injection
HTML Injection refers to injecting HTML code into a web server’s response to alter
the content to the end user. This is also known as Cross Site Scripting.
Cross Site Scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
An attacker can use XSS to send malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.

Let’s see how the problem can be solved.

validateRequest is a nice feature that tells ASP.NET whether to examine all data from the browser for potentially malicious input — particularly anything that looks like HTML or scripting that form the basis for many types of attacks, such as cross-site scripting. By introducing validateRequest and setting it to true by default, Microsoft has very effectively put a halt to some of the most common Web site attacks.

The first problem with validateRequest comes when you run an ASP.NET application on a server in many circumstances — painfully many — you’ll get an exception of “A potentially dangerous Request. Form value was detected from the client” when it detects uuencoded input. This breaks the application. In this case it is justified. If you don’t catch these kinds of attacks, your servers could be under a hacker’s control without your knowledge.

You can disable this for a single page by setting it to false in the page directive

<%@ Page ... validateRequest="false" %>

With this setting, ASP.NET won’t examine the data coming from the browser.

Secondly Never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. Converting < and > to < and > is also suggested when it comes to script output.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)