Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Xss Support - ASP.Net web api

Tags:

asp.net-web-api

Is there any built-in support for validating malicious input within the Web API, similar to forms with MVC?

If not, could anyone suggest a "global" filter/message inpector/whatever to validate against malicious input? I'm trying to avoid validating all of my models/parameters individually...

like image 418
drogon Avatar asked Jul 02 '13 20:07

drogon

People also ask

Is XSS possible in API?

Parameters in a REST API may be saved which means they are returned from subsequent requests or the results may be reflected back to the user in the request. This means that you can get both reflected and stored XSS attacks. You also need to be careful about DOM Based XSS attacks.

What is XSS in web API?

In this article Cross-Site Scripting (XSS) is a security vulnerability which enables an attacker to place client side scripts (usually JavaScript) into web pages.

Is ASP Net vulnerable to XSS?

XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. Some ASP.NET web applications that use the Control. ResolveUrl method to resolve app-root-relative paths are vulnerable to XSS.

Is XSS possible in JSON?

XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page. Calls to Hash#to_json can be used to trigger XSS.

1 Answers

No, I don't believe there is such support. Here's why. The input validation support with Web Forms/MVC was a stopgap measure. But encoding output is the better XSS fix; validating input doesn't work perfectly, as what input is "bad" depends on how you'll be outputting it (as part of HTML element source, as part of JS source, in an HTML attribute value, as part of a SQL query, etc.).

So I'd recommend against generic, global input validation as the solution to XSS concerns. Instead, make sure you're always encoding input correctly before outputting it (or passing it on to another layer, such as a SQL DB). For output, if you're using the normal Web API mechanisms for returning data (model classes with content negotiation/formatters), the formatters should handle the content type-specific encoding for you.

like image 105
dmatson Avatar answered Sep 24 '22 20:09

dmatson
Sign in to Comment

Related questions

Bad practice to return from method before async operation completes?
Add WebAPI to existing aspnetcore MVC Project
How to set not to open new web browser tab in vscode when running asp.net core api project
asp.net MVC Web API VS asp.net MVC 4 & MVC 3 internet application
ASP.NET Web API Questions - Authorization / Authentication
ASP.NET MVC 4 RC Web API Parameter Binding Issue
ASP.NET Web API - GET request with multiple arguments
REST API nested resources should be handled by which controller?
ASP.NET Web API customize Help Page
WebApi - The request contains an entity body but no Content-Type header
Restsharp- Method.POST is not working
Intercept all WebApi calls before the route matching occurs
Is there any benefit of having async methods in an asp.net web api controller?
Error on type WebActivatorEx.ActivationManager threw an exception ....Parameter count mismatch
Webapi2 - Return from controller action after one task completes, but continue with further Async processing
Using ASP.NET Web API as image service
Ninject 3 - Does BeginBlock() override InRequestScope in asp.net WebAPI?
ASP.NET Web API get child list (hierarchical resources)
Getting the "no type was found that matches the controller named" error message during Ajax Request
Modify HttpContent (actionExecutedContext.Response.Content) in OnActionExecuted method of WebApi's ActionFilterAttribute

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!