Preventing Injection Attacks in ASP.NET

Script injection attacks occur when a hacker takes a few lines of malicious programming code and enters it in to a form on our Website and then submits the form. If the Website is data driven then chances of risk is more on the Website. Hackers will often inject scripts in to our forms to try and make the system fooled in to thinking that they are valid users in order to delete data or change data or access data from database.

The basic technique for a script injection attack is for the client to submit content with embedded scripting tags. These scripting tags can include <script>, <object>, <applet>, and . Although the application can specifically check for these tags and use HTML encoding to replace the tags with harmless HTML entities, that basic validation often is not performed.

The following commonly used HTML tags (not an exhaustive list), could allow a malicious user to inject script code:

<applet>
<body>
<embed>
<frame>
<script>
<frameset>
<html>
<iframe>
<img>
<style>
<layer>
<link>
<ilayer>
<meta>
<object> 

>

An attacker can use HTML attributes such as src, lowsrc, style, and href in conjunction with the preceding tags to inject cross-site scripting.

Request Validation

Script injection attacks are a concern for all web developers, whether they are using ASP.NET, ASP, or any other web development technologies. ASP.NET includes a feature designed to automatically combat script injection attacks, known as request validation. Request validation checks the posted form input and raises an error if any potentially malicious tags ( such as <script> ) are found. In fact, request validation disallows any nonnumeric tags, including HTML tags (such as <b> and <img>), and tags that do not correspond to anything (such as <xyz>).

To test the script validation features, we can create a simple web page like the one shown below.

If we try to enter a block of content with a script tag and then click the button, ASP.NET will detect the potentially dangerous value and generate an error.


Disabling Request Validation

There may be such a situation where users have a genuine need to specify HTML tags (for example, an advertisement purpose) or a block of XML data. In these situations we need to specifically disable script validation using the ValidateRequest Page directive, as shown below.

<%@ Page ValidateRequest="false" Language="C#" AutoEventWireup="true"
CodeFile="Default.aspx.cs" Inherits="_Default" %>

We can also disable request validation for an entire web application by modifying the web.config file. We need to add or set the validateRequest attribute of the <pages> element, as shown here.

<configuration>
    <appSettings/>
    <connectionStrings/>
    <system.web>
      <pages validateRequest="false"/>
    </system.web>
</configuration>

The following screenshot is showing what will happen when a user clicks on the submit button.

  protected void btnSubmit_Click(object sender, EventArgs e)
  {
      Response.Write(txtInput.Text);
  }

Encode Output

Use the HttpUtility.HtmlEncode method to encode output if it contains input from the user or from other sources such as databases. HtmlEncode replaces characters that have special meaning in HTML-to-HTML variables that represent those characters. For example, < is replaced with < and ” is replaced with “. Encoded data does not cause the browser to execute code. Instead, the data is rendered as harmless HTML.

To prevent a script injection attack from happening when request validation is turned off, we need to explicitly encode the content before we display it using the Server object.

protected void btnSubmit_Click(object sender, EventArgs e)
{
  Response.Write("Entered Input is: "+Server.HtmlEncode(txtInput.Text));
}

The following screenshot is showing the output of the above mentioned code.

It is clear that script injection is a big concern to the developers and to protect our pages from the hand of hackers we should not consider only request validation, but also should not forget to use HtmlEncode wherever applicable. It should be noted that we can disable request validation on a page-b, we should use proper numeric validation, range validation and avoiding some characters such as “*”, “%”, “@”, or “!” in order to prevent script injection.

Further reading:

How To: Protect From Injection Attacks in ASP.NET

Advertisements

ASP.NET Control : Warning the User when Caps Lock is On

Many of the websites (e.g. Online Banking websites) have a secure area which is only accessible to the user after he provides correct Username/Password. Some of them have case-sensitive passwords.

If a user is not aware (while entering the password) whether his CAPS lock key is ON then his login will fail as the password is case-sensitive.

This is one of the features in Windows based applications that was lacking in Web based application. You all might have noticed it while logging in Windows XP/Windows Server 2003, that a “Speak-out” bubble is displayed with a message that “CAPS Lock is On” while entering the password if the CAPS lock is On.

This feature was highly desired in Web Applications until today when i came across a nice article at 4GuysFromRolla about an ASP.NET control which provides the exact functionality.

Scott Mitchell has explained the working of this control in detail in this article.

Here is the link to the article: [ Warning the User when Caps Lock is On ]