9

I'm looking for ways to protect our website from XSS attacks. At this point I am concerned about sanitizing/protecting the input only. I am aware of the need to encode the output, but that's out of the scope of this question.

A few things to bear in mind:

  • My web does not accept user-generated HTML at all.
  • I have Validate Request set to true.

I know that Microsoft recommends not to rely on on Validate Request exclusively. However, I'd like to know why. Embarking on an input sanitization project will involve a fair amount of time and money which I need to justify to the business.

I have been researching into actual examples of how to attack the Validate Request protection. All I have come up with is this. However, I have been unable to reproduce it on my site.

Improve this question

2 Answers 2

Reset to default
6

Yes Microsoft recommends that you don't rely on Validate Request because

Only you can define what represents good input for your application.

I recommend you read How To: Prevent Cross-Site Scripting in ASP.NET guideline. This is possibly the best thing I have read from Microsoft on the topic of XSS.

Another thing you can use to sanitize input is Microsoft Web Protection Library. It is easy to integrate it into existing applications and this is a quite mature project I personally rely on.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for the answer and the link. I was aware of the 'AntiXss' library as well. It's just a question of estimating actual effort vs cost so I can justify it to the business. That's why I needed a bit more information as to why Validate Request is not enough.
@mkorman no one will tell you exactly why you cannot rely on this standard ASP.NET feature, because answer on this question depends on context where you want to use it. It is up to you to decide if you need or don't need additional input validation.
Fair enough. I would then rephrase my question to "when is Validate Request enough and when is it not?". Microsoft's statement seems to indicate that it is never enough, which means that context is irrelevant.
0

Cross site scripting can be fixed by encoding incoming parameters and also by validating them with a customized regex.

For example: Encode.forhtml(inputparam)

There are several types of context based encoding using OWASP encoder. If you're not sure about encoder or validation patterns, try the cross site scripting validator below to make sure the right approach to a fix.

XSS validator for Java: http://fixforscrossite.us-east-2.elasticbeanstalk.com/

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.