Saturday, 12 May 2012

cross-site scripting in asp.net

Step 1) Add   3 controls to a WebPage (default.aspx)
              1.1)  TextBox
              1.2) Button control  & Event handler
               1.3) Label

As shown below

    <form id="form1" runat="server">
    <div>
        <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
        <asp:button ID="Button1" runat="server" text="Button" onclick="Button1_Click" />
        <asp:Label ID="Label1" runat="server" Text="Label"></asp:Label>
    </div>
    </form>


Step 2) Add Button control event handler as shown below

     
  protected void Button1_Click(object sender, EventArgs e)
        {
            Label1.Text = TextBox1.Text;
        }


Step 3)  Run the Application/Press F5
  In the text box:ENTER   <script>alert("Hello");</script>
click on button -> alert box will be displayed.



 



Javascript can be used to call web services/wcf/any resource on the webserver.

Otherwise  output would be
                 






ENABLE CROSS-SITE SCRIPTING


1)   PAGE CLASS ValidateRequest="FALSE"
2) web.config file 
          <SYSTEM.WEB>
            <pages validateRequest="false">
      </pages>
      <httpRuntime    requestValidationMode="2.0"/>
      </SYSTEM.WEB>
DISABLE CROSS-SITE SCRIPTING
              FOLLOW REVERSE SHOWN ABOVE.


Step 4) Encoding Text in ASP.NET WEB APPLICATIONS


even though cross-site enabled in an web applictaion. User can encode the textbox content by using

         protected void Button1_Click(object sender, EventArgs e)
        {
            Label1.Text = System.Web.HttpUtility.HtmlEncode(TextBox1.Text);
        }


Now the output would be. After encoding text, user'S javascript code never execute.