Preventing Injection Attacks in ASP.NET

Script injection attacks occur when a hacker takes a few lines of malicious programming code and enters it in to a form on our Website and then submits the form. If the Website is data driven then chances of risk is more on the Website. Hackers will often inject scripts in to our forms to try and make the system fooled in to thinking that they are valid users in order to delete data or change data or access data from database.

The basic technique for a script injection attack is for the client to submit content with embedded scripting tags. These scripting tags can include <script>, <object>, <applet>, and . Although the application can specifically check for these tags and use HTML encoding to replace the tags with harmless HTML entities, that basic validation often is not performed.

The following commonly used HTML tags (not an exhaustive list), could allow a malicious user to inject script code:



An attacker can use HTML attributes such as src, lowsrc, style, and href in conjunction with the preceding tags to inject cross-site scripting.

Request Validation

Script injection attacks are a concern for all web developers, whether they are using ASP.NET, ASP, or any other web development technologies. ASP.NET includes a feature designed to automatically combat script injection attacks, known as request validation. Request validation checks the posted form input and raises an error if any potentially malicious tags ( such as <script> ) are found. In fact, request validation disallows any nonnumeric tags, including HTML tags (such as <b> and <img>), and tags that do not correspond to anything (such as <xyz>).

To test the script validation features, we can create a simple web page like the one shown below.

If we try to enter a block of content with a script tag and then click the button, ASP.NET will detect the potentially dangerous value and generate an error.

Disabling Request Validation

There may be such a situation where users have a genuine need to specify HTML tags (for example, an advertisement purpose) or a block of XML data. In these situations we need to specifically disable script validation using the ValidateRequest Page directive, as shown below.

<%@ Page ValidateRequest="false" Language="C#" AutoEventWireup="true"
CodeFile="Default.aspx.cs" Inherits="_Default" %>

We can also disable request validation for an entire web application by modifying the web.config file. We need to add or set the validateRequest attribute of the <pages> element, as shown here.

      <pages validateRequest="false"/>

The following screenshot is showing what will happen when a user clicks on the submit button.

  protected void btnSubmit_Click(object sender, EventArgs e)

Encode Output

Use the HttpUtility.HtmlEncode method to encode output if it contains input from the user or from other sources such as databases. HtmlEncode replaces characters that have special meaning in HTML-to-HTML variables that represent those characters. For example, < is replaced with < and ” is replaced with “. Encoded data does not cause the browser to execute code. Instead, the data is rendered as harmless HTML.

To prevent a script injection attack from happening when request validation is turned off, we need to explicitly encode the content before we display it using the Server object.

protected void btnSubmit_Click(object sender, EventArgs e)
  Response.Write("Entered Input is: "+Server.HtmlEncode(txtInput.Text));

The following screenshot is showing the output of the above mentioned code.

It is clear that script injection is a big concern to the developers and to protect our pages from the hand of hackers we should not consider only request validation, but also should not forget to use HtmlEncode wherever applicable. It should be noted that we can disable request validation on a page-b, we should use proper numeric validation, range validation and avoiding some characters such as “*”, “%”, “@”, or “!” in order to prevent script injection.

Further reading:

How To: Protect From Injection Attacks in ASP.NET


FancyUpload – AJAX Uploader with Progress Bar

FancyUpload is a file-input replacement which features an unobtrusive, multiple-file selection menu and queued upload with an animated progress bar.

It is easy to setup, is server independent, completely styleable via CSS and XHTML and uses MooTools to work in all modern browsers.

It is fully compatible with all A-Grade Browsers (Internet Explorer 6+, Opera 9, Firefox 1.5+ and Safari 2+)


  • Select and upload multiple files
  • Filter files by type in the select dialog
  • Optional Events to add your own behaviour
  • Show and filter useful file information before the upload starts
  • Limit uploads by file count and/or file size
  • Platform and server independent, just needs Flash 8+ (> 95% penetration)
  • Unobtrusive, since the element is replaced after the swf loaded successfully
  • Cancel running uploads, add files during upload
  • Everything is optional, documented and easy editable

[ Demo ] [ Website ]

IIS7 URLrewrite module

As usual with the Microsoft of lagging behind the rat-race ( oops…the internet-race!!), they have released the much awaited module for URL Rewriting for IIS 7.

URLrewrite module for IIS7

I have been using Apache’s mod_rewrite for past so many years and that was among one of the numerous features of “The Mighty Open source” webserver a.k.a Apache, that put the IIS to shame.

But i guess Microsoft is learning it’s lessons slowly.

Here’s the Walkthrough to create and test a set of rewrite rules for the URL rewrite module.

And guess what? IIS7’s URLrewrite module comes bundled with the functionality of importing Apache mod_rewrite Rules!

Import mod_rewrite rules

Now thats something a great news for cross platform web developers like me. I couldn’t have been happier! 🙂

It seems Microsoft is trying to win over the faith and support of open source community! 😉
Whatever their intentions may be, keep up the good work Microsoft and we all soon might start saying:

“i’m loving it…!!” 😉