Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to protect against XSS in ASP.NET Core?

In ASP.NET we had Request Validation but in ASP.NET Core there is no such thing.

How can we protect an ASP.NET Core app against XSS the best way?

Request validation gone: https://nvisium.com/resources/blog/2017/08/08/dude-wheres-my-request-validation.html - this guy recommmends RegEx on Models like:

[RegularExpression(@"^[a-zA-Z0-9 -']*$", ErrorMessage = "Invalid characters detected")]
public string Name { get; set; }

...but that does not work for globalization/internationalization, i.e. non-latin characters like æ, ø å 汉字.

X-XSS to do >limited< XSS-protection: https://dotnetcoretutorials.com/2017/01/10/set-x-xss-protection-asp-net-core/ Like this but there is only limited support afaik:

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.Use(async (context, next) =>
    {
        context.Response.Headers.Add("X-Xss-Protection", "1");
        await next();
    });

    app.UseMvc();
}

The documentation from Microsoft is two years old: https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-2.1 and does not really cover it.

I am thinking to do something simple like:

myField = myField.Replace('<','').Replace('>','').Replace('&','').Repl...;
  • on all data submission - but it seems kind of wonky.

I have asked same question for Microsoft but I am interested to hear how people are solving this problem in real life applications.

Update: what we are trying to accomplish:

In our application, we have webforms where people can input name, email, content and similar. The data is stored in a database and will be viewed on a frontend system and possibly other systems in the future (like RSS feeds, JSON, whatever). Some forms contain richtext editors (tinymce) and allows users to markup their texts. Malicious users could enter <script>alert('evil stuff');</script> in the fields. What is the best way to strip the evil characters in ASP.NET Core before it reaches the database - I prefer evil scripts not to be stored in the database at all.

I figured something like this could work:

const string RegExInvalidCharacters = @"[^&<>\""'/]*$";

[RegularExpression(RegExInvalidCharacters, ErrorMessage = "InvalidCharacters")]
public string Name { get; set; }

[RegularExpression(RegExInvalidCharacters, ErrorMessage = "InvalidCharacters")]
public string Content { get; set; }

...
like image 463
Sha Avatar asked Sep 08 '18 20:09

Sha


People also ask

What is XSS in .NET core?

2.1 Anatomy of a Cross-Site Scripting Attack. The most common flavor of Cross-site scripting, or XSS, is injecting JavaScript code into a page, although there are also attack vectors that use HTML or CSS.

What is XSS in web API?

In a Cross-site Scripting attack (XSS), the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The user's browser executes this malicious JavaScript on the user's computer. Note that about one in three websites is vulnerable to Cross-site scripting.


1 Answers

You can use the HtmlSanitizer NuGet package in ASP.NET Core.

like image 122
night programmer Avatar answered Oct 06 '22 03:10

night programmer