Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do you avoid XSS vulnerabilities in ASP.Net (MVC)?

Tags:

asp.net

asp.net-mvc

xss

I recently noticed that I had a big hole in my application because I had done something like:

<input type="text" value="<%= value%>" />

I know that I should have used Html.Encode, but is there any way to do that for all values, without having to do it explicitly?

like image 258
tghw Avatar asked Jul 08 '10 19:07

tghw

People also ask

What is XSS attack in MVC?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

What is cross-site scripting XSS how do you avoid it?

Cross-site scripting (XSS) is a type of injection attack in which a threat actor inserts data, such as a malicious script, into content from trusted websites. The malicious code is then included with dynamic content delivered to a victim's browser. XSS is one of the most common cyber attack types.

2 Answers

There's a few ways:

  • Use the <%: %> syntax in ASP.NET MVC2 / .NET 4.0. (Which is just syntactic sugar for Html.Encode())
  • Follow the directions laid out by Phil Haack where it details using the Anti-XSS library as the 'default' encoding engine for ASP.NET.
like image 179
George Stocker Avatar answered Oct 05 '22 03:10

George Stocker

Watch this video from Scott Hanselman and Phil Haack. They cover XSS, CSRF, JSON Hijacking specifically with ASP.Net MVC.

like image 24
BradB Avatar answered Oct 05 '22 02:10

BradB
Sign in to Comment

Related questions

Ambiguous Controller Names with Routing attributes: controllers with same name and different namespace for versioning
Net Core 2.0 looking for appsettings.Production.json
What could be causing an XML Parsing Error: no element found?
How do I find the Client ID of control within an ASP.NET GridView?
difference between http.context.user and thread.currentprincipal and when to use them?
How to transform this web.config section?
Get Return Value from Stored procedure in asp.net
Sys.WebForms.PageRequestManagerServerErrorException 12031
MVC ActionLink add all (optional) parameters from current url
Getting IIS Application filesystem path
Passing JSON type as parameter to SQL Server 2016 stored procedure using ADO.Net in ASP.Net Core project
What is the best/recommended CAPTCHA component for ASP.NET [closed]
'Class' does not contain a definition for 'Method'
Jquery UI dialog box, is grayed out too
ASP.NET Web Application template missing in Visual Studio 2012
Can't load System.Web.Cors assembly after call to Microsoft.Owin.Cors
Check if a url is reachable - Help in optimizing a Class
ASP.NET turn off FriendlyURLs mobile.master page
No connection could be made because the target machine actively refused it 127.0.0.1
how to use enum with DescriptionAttribute in asp.net mvc

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!