Originally posted by NickFitz
View Post
http://www.asp.net/learn/whitepapers...st-validation/
-
By default, ASP.NET prevents script injection. It's built in, but the error needs to be handled.
http://www.asp.net/learn/whitepapers...st-validation/ -
OK now I will weed out any <script> or </script> strings that get posted to the form.
I must admit that I am finding this form security really interesting - a great thing to play with on a Friday afternoon
Nick! - I will let your guest book entry stand, nice blog BTW
www.stormtrack.co.uk - My Stormchasing website.Comment
-
Got rid of that pesky XSS issue - I think!
Set the aspx page to
ValidateRequest="false"
Then server side, parse each textBox.Text via
public static string stripHTML(string _ipStr)
{
const string htmlMatch = "<.*?>";
return HttpUtility.HtmlDecode(Regex.Replace(_ipStr, htmlMatch, string.Empty));
}
This strips out all the html from the string including stuff like ">" etcwww.stormtrack.co.uk - My Stormchasing website.Comment
-
If you don't need to allow any HTML formatting, which you probably don't for a guestbook, then check out "How to HTML encode content" at the bottom of the page DP linked to above.Originally posted by wxman View PostOK now I will weed out any <script> or </script> strings that get posted to the form.
I must admit that I am finding this form security really interesting - a great thing to play with on a Friday afternoon
Nick! - I will let your guest book entry stand, nice blog BTW
If you want to allow some formatting (such as bold and italic) but not let potentially nasty stuff like <script> or <object> (and actually, <img> can be dangerous in some browsers) then you'll need to do a little more work. If so, remember the golden rule: whitelist, don't blacklist. In other words, check for the stuff you specifically allow, and get rid of everything else - if you instead look for stuff you don't allow, somebody will find a way of sneaking it past you eventually.
Here's a list of known XSS vectors - as you can see, checking for all of them could get quite tiresome
Comment
-
#Originally posted by wxman View PostDemo Guestbook Here
This is a case of diminishing returns (protection of the web form) but this thread has certainly focused my attention on areas to look at.
OK I concede that client side verification can be circumvented, but I also do some Server side checking before I even go any near passing values to the SP for writing to the DB.
Client Side
Regex, textbox length, Simple verification code needs to be typed before submit is allowed.
Server Side
Is pageValid check from client verification?
Is field size < n Chr$?
Pass field values to object (but all the types are string)
** to Do. Is email address? Is URL?, Flood control – disable DB write is excessive number of requests are made
Writing to DB
Parameterised Stored Proc with limited field size
Tightened security on DB privileges.
Finally each and every entry has to be approved (via a maintenance page) before public viewing is allowed.
I know that the page verification code can be circumvented – but it will required effort on behalf of the "baddy" to do so!
Any thing else
Remember that client side validation should only be there to guide the user how to fill the form out properly, and any errors displayed should be concise and easily understandable. It will not stop somebody who is attacking your site. Any validation that you perform for security purposes should be on the server side.Comment
-
You should only need to switch off page validation if something explicitely requires it, i often need to do this when using stuff like freetextbox but in your case, cant see why it would need to be switched off? Cant see many users savvy enough to actually hand write tags such as 'this site is <strong>cool</strong>'.Originally posted by wxman View Post
So i'd leave it on and clean your input as you've suggested.Last edited by Durbs; 12 December 2008, 18:55.Comment
-
6th place now - this thread has overtaken itOriginally posted by NickFitz View PostP.S. I'm pleased to see that a Google search for HyperGlobalMegaCorp currently shows my own site in fifth place
Comment
Comment