Article Options
Premium Sponsor
Premium Sponsor

 »  Home  »  Security  »  Paranoia: Cross Site Scripting
 »  Home  »  Web Development  »  Paranoia: Cross Site Scripting
Paranoia: Cross Site Scripting
by Tiberius OsBurn | Published  03/27/2003 | Security Web Development | Rating:
Tiberius OsBurn

Tiberius OsBurn is a Senior Developer/System Analyst for The Gallup Organization (http://www.gallup.com). He recently completed a huge data warehousing project that archived data and documents from 1935 to the present - all coded in C#, SQL Server and ASP.NET.

Tiberius has extensive experience in VB, VB.NET, C#, SQL Server, ASP.NET and various other web technologies. Be sure to visit his site for his latest articles of interest to .NET developers.

http://tiberi.us

 

View all articles by Tiberius OsBurn...
Paranoia: Cross Site Scripting

They're watching you - you know that? They've been scoping out your site for quite some time, looking at ways to screw with you and your site.

All right, you think your code is secure, eh? Got the latest handy-dandy encryption on your stuff, all up to snuff on your patches and service packs. But you know what? You're making a critical blunder on your site, and you might not even know it.

If you're taking information passed in on a QueryString and then you Response.Write it out on the page, uh-oh brother, you've got problems... You're ripe for the picking with Cross Site Scripting. Unless you already know where I'm going with this, read on.

If you're taking a bit of information, say, a user's first name and are passing that information along from one page to another and then are displaying that QueryString value on the page with a Response.Write, you're setting yourself up for disaster! Look at this innocent QueryString:

http://whatzit.com/whatthe/WebForm1.aspx?fName=Lumpy

You're trying to make poor Lumpy's user experience a little brighter, so you're being nice and executing the following code:

Response.Write("Hello " + Request.QueryString("fName"));

When you run this code you get the following output:

Hello Lumpy

Here's a look at the QueryString that would produce the "Hello Lumpy" output:

http://whatzit.com/whatthe/WebForm1.aspx?fName=Lumpy

But if were the evil Eddie, I'd snake a little bit of JavaScript in on you when you weren't looking!

http://whatzit.com/whatthe/WebForm1.aspx?fName=
<script language='javascript'>alert("beotch");</script>

Guess what? If you paste this into your URL, the browser will popup a nice little box telling you "beotch", er, whatever that means!

How in the world did this happen? Oh MY! Any code you execute in JavaScript can be piped into your site using the Cross Site Scripting vulnerability.

Check out this URL...

http://whatzit.com/whatthe/WebForm1.aspx?fName=
<script language='javascript'>window.navigate("http://mrPron");</script>

Ok, yeah. Now it's getting scary... But uh, so what? I mean, who cares if I can paste in JavaScript onto someone's siteā€¦ Oooh wow. Now wait a minute, check out this next line... It'll make you think.

<a href=" http:// whatzit.com/whatthe/WebForm1.aspx?fName=
<script language='javascript'>window.navigate("http://mrPron");</script>">
Mole Hair Removal
</a>

I send someone a seemingly valid link to a URL, and in fact, maybe they DO make it to the site, but they also get something else... the nasty little JavaScript I've embedded in the link... Pretty bad, eh? Think about someone sending around your URL and the next thing the end user knows is that they are face-to-face with a bizarre picture depicting various unmentionables and bids for online casinos... You get the picture.

So, how do you prevent Cross Site Scripting? Heh heh, I thought you'd never ask!

First off, let's get a couple of things straight - be smart, not stupid. Follow some simple rules:

  • If you're expecting a particular type of data, check to ensure that it is what you're expecting.
  • Check the length - if you expect a fName of only 25 characters, chop extra characters off and drop 'em. Don't give evil Eddie any sort of chance to do a lot of damage.
  • Look for non-valid characters - Like < or > or the ubiquitous ; - Don't just take what you get from the QueryString, question all of your input. Trust no one. Really.

Ok, here's a smidget of code for you to scope out - obviously, you'll want to flesh this out to fit your particular site:

private bool checkValueQS(string QS) {
    Regex r = new Regex("[^0-9a-zA-Z]"); 
    // Find a single match in the string.
    Match m = r.Match(QS); 
    if (m.Success) {
        return true;
    }
    return false;
}

This isn't Rocket Science - it's pretty easy in concept. All I'm doing is trying a NOT match against the numbers 0-9 and valid letters a-z and A-Z. Anything else is verboten - forbidden. You can then redirect your malicious end user who was trying to pass in the 'ol script tags.

Try this the next time you want to check up on Lumpy:

private void Page_Load(object sender, System.EventArgs e) {
    if (Request.QueryString["fName"] != null) {
        if (checkValueQS(Request.QueryString["fName"].ToString()) == false) {
            Response.Write("Hello " + Request.QueryString["fName"]);
        } else {
            Response.Write("Hello... JERK!");
        }
    }
}

Notice that if the end user does try to pass anything other than a number or an alpha, they get told off with a Response.Write("Hello... JERK");

Be careful of Cross Site Scripting - It's a serious problem that can be dealt with easily - and remember, when it comes to user input - you can NEVER be too paranoid... even if they are watching you.

How would you rate the quality of this article?
1 2 3 4 5
Poor Excellent
Tell us why you rated this way (optional):

Article Rating
The average rating is: No-one else has rated this article yet.

Article rating:2.71428571428573 out of 5
 21 people have rated this page
Article Score13753
Sponsored Links