Safe ASP.Net MVC application against cross site attacks - 1

-
Do you trust user input?!!!!!!!. If your answer is YES, stop reading and do something else. If your answer is NO, I think reading this article may help you to make your site more secure. All user's inputs can be a back door for attacker to attack your site. User's inputs that we will categorize as un-trusted inputs are :
  • Incoming URLs including Request.QueryString[] values
  • Form post data (Request.Form[] values including values from hidden fields and disabled fields)
  • Cookies
  • Data in HTTP Headers (such as Request.UserAgent and Request.UrlReferrer).
Your site could be attacked by altring the query string, form values, or cookies data. The solution is not to prevent request manipulation but to check that each request is a legal request for the logged-in visitor.

Cross-Site Scripting and HTML Injection:
If an attacker can get our site to return some javascript to our visitors, then the attacker's script can take control of our visitors' browsing session and by this the attackers can collect the personal information(passwords, credit card details) of our visitors. There are two main ways an attacker follow to get this:

  1. Persistently:  by entering formed malicious input into some feature and hoping we will store it into our database and then issue it back to other visitors.
  2. Non-persistently or Passively : by finding a way of sending malicious data in a request to our application and having our application echo that data back in it is response. The attacker then finds a way to trick a victim into making such a request.

Razor HTML Encoding:
The Razor view engine helps protect us against XSS attacks by encoding any data that we refer to using the @ tag to make it safe to display as HTML. This means when we request an URL with a javascript code as a query string, Razor processes the query string value and replaces the special characters and rendering javascript code as a simple text.

Razor view engine treats the contents of MvcHtmlString objects as if they were encoded, even when that is not the case. We can use Html.Raw helper method to include our HTML into the web page without it being encoded.

Request Validation:
The goal of request validation is to stop potentially dangerous data ever reaching the application. If the user tries to submit data that looks like it might be HTML, Then ASP.Net throws an exception.This happens before the request is passed to the MVC Framework, so our application never receives the data the user has sent. But The problem with Request Validation is that it rejects any data even slightly resembling an HTML tag, and this can include valid data.

In ASP.Net MVC Framework, request validation is enabled by default. You can disable it by decorate your controller/action method by ValidateInput attribute and passing false to it. If you decorate the controller with it, that means you enabled/disabled request validation for all action methods within this controller(of course not recommended). If you decorate the action method by that attribute, that means you enabled/disabled request validation for all posted data/model properties. Also you can disable request validation for a specific property by decorate it with AllowHtml attribute.

JavaScript String Encoding and XSS:
So what if we want to accept javascript code from the user, i.e post a question on stackoverflow. of course we don't want to refuse it or disable request validation totally. Fortunately, the Ajax helper class has method called JavaScriptStringEncode, which encodes a string so that it safe to display and escapes characters so that JavaScript will understand it. In such case we have to use Html.Raw method around the result generated by the Ajax helper method. If we don't do this, then Razor HTML encodes the result, and we are back where we started.

1 2

Comments

Post a Comment

Popular posts from this blog

ASP.Net MVC : ActionLink with bootstrap icon

-
Image
How many times you wanted to add an icon to your action link?!. using Html.ActionLink method is not possible to add icon as it renders the link with just HtmlAttribute you provide. ex : @Html.ActionLink("My Link","actionName","controllerName",new {id = Model.Id}, new {style="margin:10px", @class="btn btn-info"}); this will be rendered as shown in   if I want to add icon using bootstrap css classes, I can not use HtmlHelper methods and have to use plain html tags like this <a href="url-here" class="btn btn-info" style="margin:10px;">         <i class="glyphicon glyphicon-pencil"></i>         <span>My Link</span>     </a> this will be rendered  as so to simplify my .cshtml file and make it easy for developers to add icon to their action links, I have created an extension method IconActionLink that will replace the previous html sinppe
Read more

ASP.Net MVC : Conditional Validation using ValidationAttribute

-
In ASP.Net MVC we can validate each input field by decorating the corresponding property in the model class with some validation attributes like Required , MaxLength , MinLength ,...etc. Sometime we need to validate a property according to another property value for example if we have a registration form and we need the user enter his age if he is a male and age not required if the user sex is female. So if we decorated the Age property with Required attribute it will show error message even if the user is female, so we need to bypass this check with females. Assume our registration form will contains three fields, name, sex and age, and its model will be as follows public class RegisterationModel { [Required(ErrorMessage = "*")] public String Name { get; set; } [Required(ErrorMessage = "*")] [Display(Name = "Gender")] public Sex Sex { get; set; } [RequiredIf("Sex", Sex.Male, "enter your age")] pu
Read more

Android : How to change progress bar color at runtime programmatically?

-
Image
I faced this problem while creating one of my android applications(in fact, it is my first application :) ). Lets consider we want to create an android application to calculate the commitments progress of a certain category for http://area51.stackexchange.com/  website ( note we will display a progress bar with one color red or green for simplicity ). Each time we run this application it calculate the commitment percentage and display a red progress bar if it is less than 50% or green one if it equal or greater than 50%. For learning purpose we will insert the number of total required committed users and the number of committed users and calculate the progress of commitment process. Now lets write our code. If it is your first android application you can refer to this post to know how to create an android application.        How to create the full layout of this simple application is beyond this post, we will concentrate on the progress bar. The following code snippet is the
Read more