Menu
I'm looking for ways to protect our website from XSS attacks. At this point I am concerned about sanitizing/protecting the input only. I am aware of the need to encode the output, but that's out of the scope of this question.
A few things to bear in mind:
I know that Microsoft recommends not to rely on on Validate Request exclusively. However, I'd like to know why. Embarking on an input sanitization project will involve a fair amount of time and money which I need to justify to the business.
I have been researching into actual examples of how to attack the Validate Request protection. All I have come up with is this. However, I have been unable to reproduce it on my site.
992
Validate input on arrival Encoding is probably the most important line of XSS defense, but it is not sufficient to prevent XSS vulnerabilities in every context. You should also validate input as strictly as possible at the point when it is first received from a user.
Manual Validation We just looked at an out-of-the-box feature that ASP.NET provides for validating user input that can be an extremely helpful mitigation in a defense in-depth strategy.
ASP.NET Core MVC provides an HtmlString class which isn't automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability.
Yes Microsoft recommends that you don't rely on Validate Request because
Only you can define what represents good input for your application.
I recommend you read How To: Prevent Cross-Site Scripting in ASP.NET guideline. This is possibly the best thing I have read from Microsoft on the topic of XSS.
Another thing you can use to sanitize input is Microsoft Web Protection Library. It is easy to integrate it into existing applications and this is a quite mature project I personally rely on.
53
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
