How to: Protect Against Script Exploits

Protect Against Script Exploits in a Web Application

Most scripting exploits occur when users can get executable code (or script) into your application. By default, ASP.NET provides request validation, which raises an error if a form post contains any HTML.
You can help protect against script exploits in the following ways:

Perform parameter validation on form variables, query-string variables, and cookie values. This validation should include two types of verification: verification that the variables can be converted to the expected type (for example, convert to an integer, convert to date-time, and so on), and verification of expected ranges or formatting. For example, a form post variable that is intended to be an integer should be checked with the Int32.TryParse method to verify the variable really is an integer. Furthermore, the resulting integer should be checked to verify the value falls within an expected range of values.
Apply HTML encoding to string output when writing values back out to the response. This helps ensure that any user-supplied string input will be rendered as static text in the browsers instead of executable script code or interpreted HTML elements.

HTML encoding converts HTML elements using HTML–reserved characters so that they are displayed rather than executed.

To apply HTML encoding to a string

Before displaying strings, call the HtmlEncode method. HTML elements are converted into string representations that the browser will display rather than interpret as HTML.
The following example illustrates HTML encoding. In the first instance, the user input is encoded before being displayed. In the second instance, data from a database is encoded before being displayed.

Note

This example will only work if you disable request validation in the page by adding the @ Page attribute ValidateRequest="false". It is not recommended that you disable request validation in a production application, so make sure that you enable request validation again after viewing this example.

Examples

Examples of ASP.NET C# page

ASP.NET Code Input:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head runat="server">
        <title>Sample Page</title>
        <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
        <%@ Page Language="C#" %>
        <script runat="server">
        // Define a handler for the button click.
        protected void SubmitBtn_Click(object sender, EventArgs e)
        {
            MySpan.InnerHtml = "HtmlEncode = " + Server.HtmlEncode(Server.HtmlEncode(MyTextBox.Text)) + ".";
        }
        </script>
    </head>
    <body>
        <form id="form1" runat="server">
            <h3>HtmlEncode Page Example</h3>
            <div>
                <table>
                    <tr>
                        <td>Enter String '&lt;' Only: </td>
                        <td> <asp:textbox id="MyTextBox" runat="server"/> </td>
                    </tr>
                    <tr>
                        <td>
                        <asp:Button id="MyButton" text="Click Here" onclick="SubmitBtn_Click" runat="server"/></td>
                    </tr>
                    <tr>
                        <td> <asp:CompareValidator ID="ValueValidator1" runat="server" ErrorMessage="ValueValidator" ControlToValidate="MyTextBox" ValueToCompare="<" /> </td>
                        <td><span id="MySpan" runat="server" /></td>
                    </tr>
                </table>
            </div>
        </form>
    </body>
</html>

HTTP Response Output:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head><title>
	Sample Page
</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8" /></head>
    <body>
        <form method="post" action="./aspnetht_protectagainstscriptexploits_001a_01.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="form1">
<div class="aspNetHidden">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTIxMzExNTkwMDdkZCh1UYC3hENj2ouNkNAeUXXZVucJ9VjA5HC/Ic7EuT37" />
</div>

<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['form1'];
if (!theForm) {
    theForm = document.form1;
}
function __doPostBack(eventTarget, eventArgument) {
    if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
        theForm.__EVENTTARGET.value = eventTarget;
        theForm.__EVENTARGUMENT.value = eventArgument;
        theForm.submit();
    }
}
//]]>
</script>


<script src="/sideway/WebResource.axd?d=c0VQ4AP-KK4FHoaOdcAZOCJhX3lppsLz7VfAgWyB2y5HqnBnSm15H8NFEFRPslCkG3DpC6-rf3gN1xqhjtS2DHh7wpbKtaEKERbM94a2ckY1&amp;t=637688112097945149" type="text/javascript"></script>


<script src="/sideway/WebResource.axd?d=KTG0uDevdKWz2OmyVNVBYJQUfGzYPcBkQtffgbcLMp-XUh_hG-KITZAyKQSMEEO5V_FNrBJTWz4n-JMWOTVY6pSHvvSjU3dqLkZyNqqMjuM1&amp;t=637688112097945149" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
function WebForm_OnSubmit() {
if (typeof(ValidatorOnSubmit) == "function" && ValidatorOnSubmit() == false) return false;
return true;
}
//]]>
</script>

<div class="aspNetHidden">

	<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="9C4D66ED" />
	<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEdAAPGxH00v12VbfJ2hGwsHmCk0e0Nr0U0RT07K3lzrTTZzszCeMQBMuEffVPlinxaUAbEZF5m5/C6swPjZFvTQVipVw6/qMycwLyAJ5r2zxBEIA==" />
</div>
            <h3>HtmlEncode Page Example</h3>
            <div>
                <table>
                    <tr>
                        <td>Enter String '&lt;' Only: </td>
                        <td> <input name="MyTextBox" type="text" id="MyTextBox" /> </td>
                    </tr>
                    <tr>
                        <td>
                        <input type="submit" name="MyButton" value="Click Here" onclick="javascript:WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions(&quot;MyButton&quot;, &quot;&quot;, true, &quot;&quot;, &quot;&quot;, false, false))" id="MyButton" /></td>
                    </tr>
                    <tr>
                        <td> <span id="ValueValidator1" style="visibility:hidden;">ValueValidator</span> </td>
                        <td><span id="MySpan"></span></td>
                    </tr>
                </table>
            </div>
 <script type="text/javascript">
//<![CDATA[
var Page_Validators =  new Array(document.getElementById("ValueValidator1"));
//]]>
</script>

<script type="text/javascript">
//<![CDATA[
var ValueValidator1 = document.all ? document.all["ValueValidator1"] : document.getElementById("ValueValidator1");
ValueValidator1.controltovalidate = "MyTextBox";
ValueValidator1.errormessage = "ValueValidator";
ValueValidator1.evaluationfunction = "CompareValidatorEvaluateIsValid";
ValueValidator1.valuetocompare = "<";
//]]>
</script>


<script type="text/javascript">
//<![CDATA[

var Page_ValidationActive = false;
if (typeof(ValidatorOnLoad) == "function") {
    ValidatorOnLoad();
}

function ValidatorOnSubmit() {
    if (Page_ValidationActive) {
        return ValidatorCommonOnSubmit();
    }
    else {
        return true;
    }
}
        //]]>
</script>
</form>
    </body>
</html>

ASPX Web Page Embedded Output:

Examples of ASP.NET VB page