Radhika.Putcha said:
We are trying to implement a global method to detect cross site
scripting vulnerabliity attack - to filter hazardous characters from
user input before the request is submitted. Can you please suggest if
there is a global way of achieving this.
You could use HttpUtility.HtmlEncode on all the user-input data before
displaying it, that way any code is rendered harmlessly as text, e.g.
label1.Text=HttpUtility.HtmlEncode(UserName)
ASP.NET guards against XSS attempts by default; try entering the text
"<script>" in an input on a form and when it's submitted you'll get an error
like
---------------------------
"A potentially dangerous Request.Form value was detected from the client
(ctl00$ContentPlaceHolder1$uName="<script>").
Description: Request Validation has detected a potentially dangerous client
input value, and processing of the request has been aborted. This value may
indicate an attempt to compromise the security of your application, such as
a cross-site scripting attack. You can disable request validation by setting
validateRequest=false in the Page directive or in the configuration section.
However, it is strongly recommended that your application explicitly check
all inputs in this case."
---------------------------
And if you store data in a database, don't forget to guard against SQL
injection attacks by using parameters to pass values to the database.
Andrew
