In ASP.NET we had Request Validation but in ASP.NET Core there is no such thing.
How can we protect an ASP.NET Core app against XSS the best way?
Request validation gone:
https://nvisium.com/resources/blog/2017/08/08/dude-wheres-my-request-validation.html
- this guy recommmends RegEx on Models
like:
[RegularExpression(@"^[a-zA-Z0-9 -']*$", ErrorMessage = "Invalid characters detected")]
public string Name { get; set; }
...but that does not work for globalization/internationalization, i.e. non-latin characters like æ, ø å 汉字.
X-XSS to do >limited< XSS-protection: https://dotnetcoretutorials.com/2017/01/10/set-x-xss-protection-asp-net-core/ Like this but there is only limited support afaik:
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Xss-Protection", "1");
await next();
});
app.UseMvc();
}
The documentation from Microsoft is two years old: https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-2.1 and does not really cover it.
I am thinking to do something simple like:
myField = myField.Replace('<','').Replace('>','').Replace('&','').Repl...;
I have asked same question for Microsoft but I am interested to hear how people are solving this problem in real life applications.
Update: what we are trying to accomplish:
In our application, we have webforms where people can input name, email, content and similar. The data is stored in a database and will be viewed on a frontend system and possibly other systems in the future (like RSS feeds, JSON, whatever). Some forms contain richtext editors (tinymce) and allows users to markup their texts. Malicious users could enter <script>alert('evil stuff');</script>
in the fields. What is the best way to strip the evil characters in ASP.NET Core before it reaches the database - I prefer evil scripts not to be stored in the database at all.
I figured something like this could work:
const string RegExInvalidCharacters = @"[^&<>\""'/]*$";
[RegularExpression(RegExInvalidCharacters, ErrorMessage = "InvalidCharacters")]
public string Name { get; set; }
[RegularExpression(RegExInvalidCharacters, ErrorMessage = "InvalidCharacters")]
public string Content { get; set; }
...
2.1 Anatomy of a Cross-Site Scripting Attack. The most common flavor of Cross-site scripting, or XSS, is injecting JavaScript code into a page, although there are also attack vectors that use HTML or CSS.
In a Cross-site Scripting attack (XSS), the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The user's browser executes this malicious JavaScript on the user's computer. Note that about one in three websites is vulnerable to Cross-site scripting.
You can use the HtmlSanitizer NuGet package in ASP.NET Core.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With