Safe ASP.Net MVC application against cross site attacks - 1
Do you trust user input?!!!!!!!. If your answer is YES, stop reading and do something else. If your answer is NO, I think reading this article may help you to make your site more secure. All user's inputs can be a back door for attacker to attack your site. User's inputs that we will categorize as un-trusted inputs are :
Cross-Site Scripting and HTML Injection:
If an attacker can get our site to return some javascript to our visitors, then the attacker's script can take control of our visitors' browsing session and by this the attackers can collect the personal information(passwords, credit card details) of our visitors. There are two main ways an attacker follow to get this:
Razor HTML Encoding:
The Razor view engine helps protect us against XSS attacks by encoding any data that we refer to using the @ tag to make it safe to display as HTML. This means when we request an URL with a javascript code as a query string, Razor processes the query string value and replaces the special characters and rendering javascript code as a simple text.
Razor view engine treats the contents of MvcHtmlString objects as if they were encoded, even when that is not the case. We can use Html.Raw helper method to include our HTML into the web page without it being encoded.
Request Validation:
The goal of request validation is to stop potentially dangerous data ever reaching the application. If the user tries to submit data that looks like it might be HTML, Then ASP.Net throws an exception.This happens before the request is passed to the MVC Framework, so our application never receives the data the user has sent. But The problem with Request Validation is that it rejects any data even slightly resembling an HTML tag, and this can include valid data.
In ASP.Net MVC Framework, request validation is enabled by default. You can disable it by decorate your controller/action method by ValidateInput attribute and passing false to it. If you decorate the controller with it, that means you enabled/disabled request validation for all action methods within this controller(of course not recommended). If you decorate the action method by that attribute, that means you enabled/disabled request validation for all posted data/model properties. Also you can disable request validation for a specific property by decorate it with AllowHtml attribute.
JavaScript String Encoding and XSS:
So what if we want to accept javascript code from the user, i.e post a question on stackoverflow. of course we don't want to refuse it or disable request validation totally. Fortunately, the Ajax helper class has method called JavaScriptStringEncode, which encodes a string so that it safe to display and escapes characters so that JavaScript will understand it. In such case we have to use Html.Raw method around the result generated by the Ajax helper method. If we don't do this, then Razor HTML encodes the result, and we are back where we started.
- Incoming URLs including Request.QueryString[] values
- Form post data (Request.Form[] values including values from hidden fields and disabled fields)
- Cookies
- Data in HTTP Headers (such as Request.UserAgent and Request.UrlReferrer).
Cross-Site Scripting and HTML Injection:
If an attacker can get our site to return some javascript to our visitors, then the attacker's script can take control of our visitors' browsing session and by this the attackers can collect the personal information(passwords, credit card details) of our visitors. There are two main ways an attacker follow to get this:
- Persistently: by entering formed malicious input into some feature and hoping we will store it into our database and then issue it back to other visitors.
- Non-persistently or Passively : by finding a way of sending malicious data in a request to our application and having our application echo that data back in it is response. The attacker then finds a way to trick a victim into making such a request.
Razor HTML Encoding:
The Razor view engine helps protect us against XSS attacks by encoding any data that we refer to using the @ tag to make it safe to display as HTML. This means when we request an URL with a javascript code as a query string, Razor processes the query string value and replaces the special characters and rendering javascript code as a simple text.
Razor view engine treats the contents of MvcHtmlString objects as if they were encoded, even when that is not the case. We can use Html.Raw helper method to include our HTML into the web page without it being encoded.
Request Validation:
The goal of request validation is to stop potentially dangerous data ever reaching the application. If the user tries to submit data that looks like it might be HTML, Then ASP.Net throws an exception.This happens before the request is passed to the MVC Framework, so our application never receives the data the user has sent. But The problem with Request Validation is that it rejects any data even slightly resembling an HTML tag, and this can include valid data.
In ASP.Net MVC Framework, request validation is enabled by default. You can disable it by decorate your controller/action method by ValidateInput attribute and passing false to it. If you decorate the controller with it, that means you enabled/disabled request validation for all action methods within this controller(of course not recommended). If you decorate the action method by that attribute, that means you enabled/disabled request validation for all posted data/model properties. Also you can disable request validation for a specific property by decorate it with AllowHtml attribute.
JavaScript String Encoding and XSS:
So what if we want to accept javascript code from the user, i.e post a question on stackoverflow. of course we don't want to refuse it or disable request validation totally. Fortunately, the Ajax helper class has method called JavaScriptStringEncode, which encodes a string so that it safe to display and escapes characters so that JavaScript will understand it. In such case we have to use Html.Raw method around the result generated by the Ajax helper method. If we don't do this, then Razor HTML encodes the result, and we are back where we started.
1 2
Comments
Post a Comment