MVC :: Preventing JavaScript Injection Attacks. What is a JavaScript Injection Attack?

Similar documents
MVC :: Understanding Views, View Data, and HTML Helpers

MVC :: Understanding Models, Views, and Controllers

SharpShooter Reports.Web Getting Started (ASP.NET Web Application)

John Coggeshall Copyright 2006, Zend Technologies Inc.

Application vulnerabilities and defences

MVC :: Understanding Controllers, Controller Actions, and Action Results

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

When you create a new ASP.NET MVC application, the application is already configured to use URL Routing. URL Routing is setup in two places.

Web Application Security. Philippe Bogaerts

Exploiting and Defending: Common Web Application Vulnerabilities

Security: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore

Web Application Attacks

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

CS 161 Computer Security

Client Side Injection on Web Applications

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11


Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

CS 155 Project 2. Overview & Part A

CIS 4360 Secure Computer Systems XSS

Beware of Serialized GUI Objects Bearing Data. David Byrne Rohini Sulatycki

Types of XSS attacks. Persistent XSS. Non-persistent XSS

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Web Security: Vulnerabilities & Attacks

C1: Define Security Requirements

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Copyright

This is CS50. Harvard College Fall Quiz 1 Answer Key

Evaluating the Security Risks of Static vs. Dynamic Websites

ASP.NET MVC Music Store Tutorial

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

CS 161 Computer Security


NET 311 INFORMATION SECURITY

WEB SECURITY: XSS & CSRF

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

CSCE 813 Internet Security Case Study II: XSS

P2_L12 Web Security Page 1

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Information Security CS 526 Topic 8

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Project 2: Web Security

Web Security IV: Cross-Site Attacks

CS 161 Computer Security

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

How to Build a Culture of Security

CROSS SITE PRINTING. Printer Spamming

Making the web secure by design

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Description: This feature will enable user to send messages from website to phone number.

Common Websites Security Issues. Ziv Perry

last time: command injection

Python For Hackers. Shantnu Tiwari. This book is for sale at This version was published on

Let's explore these events by creating master-detail AJAX grid views that link Products to Suppliers in Northwind database.

Some Facts Web 2.0/Ajax Security

Whatever it takes. Fixing SQLIA and XSS in the process. Diploma Thesis Outline Presentation, Florian Thiel

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Progress Exchange June, Phoenix, AZ, USA 1

Base64 The Security Killer

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Assignment 6: Web Security

HTTP Security Headers Explained

Aguascalientes Local Chapter. Kickoff

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Spring 2014 Interim. HTML forms

Hack-Proofing Your ASP.NET Applications

The security of Mozilla Firefox s Extensions. Kristjan Krips

XSSFor the win! What can be really done with Cross-Site Scripting.

WebGoat Lab session overview

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

SECURE CODING ESSENTIALS

NerdDinner Step 1: File->New Project

CIS 3308 Logon Homework

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

CSCE 548 Building Secure Software SQL Injection Attack

MVC - Repository-And-Unit-Of-Work

Information Security CS 526 Topic 11

Securing Your Company s Web Presence

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

6.170 Tutorial 7 - Rails Security. Prerequisites. Goals of this tutorial. Resources

Pro ASP.NET MVC 2 Framework

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Tổng quan về ASP.NET MVC Framework

CS50 Quiz Review. November 13, 2017

CSC 482/582: Computer Security. Cross-Site Security

CSE 127 Computer Security

Web Programming. Based on Notes by D. Hollinger Also Java Network Programming and Distributed Computing, Chs.. 9,10 Also Online Java Tutorial, Sun.

CS 161 Computer Security

Web Vulnerabilities. And The People Who Love Them

Working with Controllers

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

An analysis of security in a web application development process

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

CGI Programming. What is "CGI"?

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

Transcription:

MVC :: Preventing JavaScript Injection Attacks The goal of this tutorial is to explain how you can prevent JavaScript injection attacks in your ASP.NET MVC applications. This tutorial discusses two approaches to defending your website against a JavaScript injection attack. You learn how to prevent JavaScript injection attacks by encoding the data that you display. You also learn how to prevent JavaScript injection attacks by encoding the data that you accept. What is a JavaScript Injection Attack? Whenever you accept user input and redisplay the user input, you open your website to JavaScript injection attacks. Let s examine a concrete application that is open to JavaScript injection attacks. Imagine that you have created a customer feedback website (see Figure 1). Customers can visit the website and enter feedback on their experience using your products. When a customer submits their feedback, the feedback is redisplayed on the feedback page.

Figure 1 Customer Feedback Website The customer feedback website uses the controller in Listing 1. This controller contains two actions named Index() and Create(). Listing 1 HomeController.cs using System; using System.Web.Mvc; using CustomerFeedback.Models; namespace CustomerFeedback.Controllers

[HandleError] public class HomeController : Controller private FeedbackDataContext db = new FeedbackDataContext(); public ActionResult Index() return View(db.Feedbacks); public ActionResult Create(string message) // Add feedback var newfeedback = new Feedback(); newfeedback.message = message; newfeedback.entrydate = DateTime.Now; db.feedbacks.insertonsubmit(newfeedback); db.submitchanges(); // Redirect return RedirectToAction("Index"); The Index() method displays the Index view. This method passes all of the previous customer feedback to the Index view by retrieving the feedback from the database (using a LINQ to SQL query). The Create() method creates a new Feedback item and adds it to the database. The message that the customer enters in the form is passed to the Create() method in the message parameter. A Feedback item is created and the message is assigned to the Feedback item s Message property. The Feedback item is submitted to the database with the DataContext.SubmitChanges() method call. Finally, the visitor is redirected back to the Index view where all of the feedback is displayed. The Index view is contained in Listing 2.

Listing 2 Index.aspx <%@ Page Language="C#" MasterPageFile="~/Views/Shared/Site.Master" AutoEventWireup="true" CodeBehind="Index.aspx.cs" Inherits="CustomerFeedback.Views.Home.Index" %> <%@ Import Namespace="CustomerFeedback.Models" %> <asp:content ID="indexContent" ContentPlaceHolderID="MainContent" runat="server"> <h1>customer Feedback</h1> <p> Please use the following form to enter feedback about our product. </p> <form method="post" action="/home/create"> <label for="message">message:</label> <br /> <textarea name="message" cols="50" rows="2"></textarea> <br /><br /> <input type="submit" value="submit Feedback" /> </form> <% foreach (Feedback feedback in ViewData.Model) %> <p> <%=feedback.entrydate.toshorttimestring()%> -- <%=feedback.message%> </p> <% %> </asp:content> The Index view has two sections. The top section contains the actual customer feedback form. The bottom section contains a For..Each loop that loops through all of the previous customer feedback items and displays the EntryDate and Message properties for each feedback item.

The customer feedback website is a simple website. Unfortunately, the website is open to JavaScript injection attacks. Imagine that you enter the following text into the customer feedback form: <script>alert( Boo! )</script> This text represents a JavaScript script that displays an alert message box. After someone submits this script into the feedback form, the message Boo! will appear whenever anyone visits the customer feedback website in the future (see Figure 2). Figure 2 JavaScript Injection

Now, your initial response to JavaScript injection attacks might be apathy. You might think that JavaScript injection attacks are simply a type of defacement attack. You might believe that no one can do anything truly evil by committing a JavaScript injection attack. Unfortunately, a hacker can do some really, really evil things by injecting JavaScript into a website. You can use a JavaScript injection attack to perform a Cross-Site Scripting (XSS) attack. In a Cross-Site Scripting attack, you steal confidential user information and send the information to another website. For example, a hacker can use a JavaScript injection attack to steal the values of browser cookies from other users. If sensitive information -- such as passwords, credit card numbers, or social security numbers is stored in the browser cookies, then a hacker can use a JavaScript injection attack to steal this information. Or, if a user enters sensitive information in a form field contained in a page that has been compromised with a JavaScript attack, then the hacker can use the injected JavaScript to grab the form data and send it to another website. Please be scared. Take JavaScript injection attacks seriously and protect your user s confidential information. In the next two sections, we discuss two techniques that you can use to defend your MVC applications from JavaScript injection attacks. Approach #1: HTML Encode in the View One easy method of preventing JavaScript injection attacks is to HTML encode any data entered by website users when you redisplay the data in a view. The updated Index view in Listing 3 follows this approach. Listing 3 Index.aspx (HTML Encoded) <%@ Page Language="C#" MasterPageFile="~/Views/Shared/Site.Master" AutoEventWireup="true" CodeBehind="Index.aspx.cs" Inherits="CustomerFeedback.Views.Home.Index" %> <%@ Import Namespace="CustomerFeedback.Models" %> <asp:content ID="indexContent" ContentPlaceHolderID="MainContent" runat="server"> <h1>customer Feedback</h1> <p> Please use the following form to enter feedback about our product. </p> <form method="post" action="/home/create"> <label for="message">message:</label> <br /> <textarea name="message" cols="50" rows="2"></textarea> <br /><br /> <input type="submit" value="submit Feedback" />

</form> <% foreach (Feedback feedback in ViewData.Model) %> <p> <%=feedback.entrydate.toshorttimestring()%> -- <%=Html.Encode(feedback.Message)%> </p> <% %> </asp:content> Notice that the value of feedback.message is HTML encoded before the value is displayed with the following code: <%=Html.Encode(feedback.Message)%> What does it mean to HTML encode a string? When you HTML encode a string, dangerous characters such as < and > are replaced by HTML entity references such as < and >. So when the string <script>alert("boo!")</script> is HTML encoded, it gets converted to <script>alert("boo!")</script>. The encoded string no longer executes as a JavaScript script when interpreted by a browser. Instead, you get the harmless page in Figure 3.

Figure 3 Defeated JavaScript Attack Notice that in the Index view in Listing 3 only the value of feedback.message is encoded. The value of feedback.entrydate is not encoded. You only need to encode data entered by a user. Because the value of EntryDate was generated in the controller, you don t need to HTML encode this value. Approach #2: HTML Encode in the Controller Instead of HTML encoding data when you display the data in a view, you can HTML encode the data just before you submit the data to the database. This second approach is taken in the case of the controller in Listing 4. Listing 4 HomeController.cs (HTML Encoded) using System; using System.Web.Mvc; using CustomerFeedback.Models; namespace CustomerFeedback.Controllers

[HandleError] public class HomeController : Controller private FeedbackDataContext db = new FeedbackDataContext(); public ActionResult Index() return View(db.Feedbacks); public ActionResult Create(string message) // Add feedback var newfeedback = new Feedback(); newfeedback.message = Server.HtmlEncode(message); newfeedback.entrydate = DateTime.Now; db.feedbacks.insertonsubmit(newfeedback); db.submitchanges(); // Redirect return RedirectToAction("Index"); Notice that the value of Message is HTML encoded before the value is submitted to the database within the Create() action. When the Message is redisplayed in the view, the Message is HTML encoded and any JavaScript injected in the Message is not executed. Typically, you should favor the first approach discussed in this tutorial over this second approach. The problem with this second approach is that you end up with HTML encoded data in your database. In other words, your database data is dirtied with funny looking characters. Why is this bad? If you ever need to display the database data in something other than a web page, then you will have problems. For example, you can no longer easily display the data in a Windows Forms application.

Summary The purpose of this tutorial was to scare you about the prospect of a JavaScript injection attack. This tutorial discussed two approaches for defending your ASP.NET MVC applications against JavaScript injection attacks: you can either HTML encode user submitted data in the view or you can HTML encode user submitted data in the controller.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback