How ASP.NET MVC prevents Cross-site scripting(XSS) attack

This blog post is to explain Cross-site scripting with little more detail and how ASP.NET MVC prevents it to an extent.

Cross-site scripting attack is the act of injecting their own code (typically JavaScript but there are types of codes can be injected) into a website. The implication ranges from inconvenience to fatal damage.

An example for Inconvenience would be running a website which allows user to post a comment and user deliberately posts a comment which contains JavaScript with code to alert ‘I just did XSS attach successfully’ 1000 times in a loop.

An example for fatal damage would be running a bank website which allows user to post a comment and user deliberately post a comment which contains JavaScript with code to make request(note that this request carries the baking website cookie information since the code is running on banking website page) to the suspicious site. The suspicious site could then steal your banking website cookie information and other valuable information. There is some browser safeguard mechanism (Same origin policy) to stop this from happening and of course there are some workarounds and vulnerabilities from the server that attacker can leverage.

Simple way to avoid this attack is to encode the HTML code i.e. make that as NON HTML code for the browser. Beginning from ASP.NET MVC2 view engines encoded the string so that any html code inside the string will be made as non html code e.g. <div> will become &lt;div&gt; and <script> will become &lt;script&gt; so user doesn’t get a chance to inject their own HTML code.

Syntax for HTML encoding

1. <%: model.something %> syntax in WebForms

2.  It is automatic in Razor i.e. @model.something will auto encode automatically no
need to do anything to encode.

3. MVC3 HTML Helper methods return the encoded string automatically. e.g. Html.Label will return the encoded string

If you don’t need to encode use the following syntax

1. <%= %> syntax on webforms

2. HTML.Raw syntax on Razor

3. Return MvcHtmlString from the code to stop MVC from encoding it.

One can also stop accepting content that contains HTML code on the server side (ASP.NET configuration to stop accepting that content) but there are requirements where we need to accept those content and display in safe manner and above would be useful for those cases.

About Thiru

I'm a full stack developer and have held roles in engineering & product. Contact details Email : / website:
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s