0

html script calling my asp.net code behind page load event, that is my problem

I have below asp.net page:

<%@ Page Language="C#" AutoEventWireup="true" Inherits="search_function" Codebehind="search_function.aspx.cs" %>

And here is asp.net C# code behind:

 <code>protected void Page_Load(object sender, EventArgs e)
{
    try
    {
        PerformSearch();
    }
    catch (Exception ex)
    {
        Util.SendErrorEmail(ex);
        PerformSearch();
    }
}

and this js file having ajax call to search_function

 ` $.ajax({
                    url: BasePath + 'search_function.aspx',
                    data: 'action=search&value=' + t.value,
                    type: 'post',
                    
                    cache: false,
                    success: function (html) {
                        results.stop().show().fadeTo(250, 1);
                        results.html(html);
                        spinner.html("");
                        var addValue = 200;
                        if ($('#ctl00_cph_searchControl_hidIsIndex').val() == "1") {
                            addValue = -450;
                        }
                        results.css({
                            "position": "absolute",
                            "top":"107px"
                            //"left": $('#search').position().left + addValue + "px"
                        });
                       // alert(window.location);
                        BindResultsHover();  //bind our results hover listener to the new             results
                    }
                });`

this working fine but the below html script calling my Page_Load event and getting alert 1.:

<html>
<body>
<form action=http://localhost:51503/search_function.aspx method="POST">
<input type="hidden" name="action" value="search" />
<input type="hidden" name="value" value="1&quot;onfocus=&quot;alert`1`&quot;autofocus=&quot;" />
<input type="submit" value="Submit request" />
 </form>
 <script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>

I have tried to IsValid at page_load event but still this XSS script calling my page.

Improve this question
4
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. Commented May 6, 2024 at 11:17
  • Please clarify the question and provide additional details. The Way I see it:- Your ASPX page can be called three times:- 1. Via Ajax Code. 2. When the form Submit button is clicked. 3. When your script element runs on the page it will automatically submit the form (document.forms[0].submit) Commented May 7, 2024 at 16:25
  • @GauravShah the HTML(external) scripts executing my code, how I can secure it ? Commented May 8, 2024 at 3:26
  • @user24846708:- Due to comment characters limitation, I am posting mt reply as an Answer Commented May 8, 2024 at 8:18

1 Answer 1

Reset to default
0

@user24846708:- Scripts are not a bad thing unless they are being used for malicious purposes (XSS being one of them). You need to understand your requirements clearly. You need to have a complete clarity regarding what code to write and where to write.

Ajax calls for example provide performance benefit as only a part of your page is refreshed and not the entire page and you still get the output that you need.

For example:- If there is a business logic which will validate user's login password, then that code should be executed on Server (using C#) in your case. It will also probably make a database call to check for password. You can use scripts for example to show validation that Password cannot be empty.

Scripts Execute on Browser while C# code executes on Server. If the code is being Executed on the Server, the logic is hidden from the user.

I believe what you are asking is how to secure your website and how to write code using best Security Practices. This is a vast topic and cannot be explained here. But, I will provide few links for your reference.

XSS:- https://www.geeksforgeeks.org/what-is-cross-site-scripting-xss/

XSS Prevention:- https://www.esecurityplanet.com/endpoint/prevent-xss-attacks/

C# Best Security Practices:- https://learn.microsoft.com/en-us/dotnet/standard/security/ , https://www.c-sharpcorner.com/article/c-sharp-security-best-practices-for-secure-coding/

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.