Can you protect your .Net application pages from XSS by disabling tag validationrequest=false. For web 2.0 (user generated content) websites we need to allow users to enter some tags which are dangerous and also open the world to exploit our application. We cannot enable the default validationrequest. So how can we protect ourselves from those dangerous exploits?
One way to block exploits using the dangerous tags is by filtering them. But there are too many ways to hack into the system. Some ways are not even dangerous while filtering but it can create a very large scale attack in application. One such tag is as below
The above code is an SQL injection which might bring out the data about root or admin user. Can we filter this out by our methods? Surely we cannot, because this might be a proper SQL posted by some user in forums. So how can we protect from these kind of attacks
IDS – Intrusion Detection System
IDS is used to detect and block the dangerous traffic to our website. Mostly we have some honeypots which will trap the hackers and make them to look for false information and block them. Imagine IDS for .Net application. How about scanning the user data using IDS methodologies? This article will say about an IDS developed by some white hat security experts.
Welcome to the world of Dotnet IDS.
Dotnet IDS is .Net way of PHP-IDS developed by some security experts. You can have a copy of dotnet-IDS at http://code.google.com/p/dotnetids/ which is the homepage for this project. This tool is capable of detecting on attacks on web applications and gives the developer the possibility to react. This tool acts as a first defense against XSS attacks in your website.
Using the code
First we need to know that it is just a security layer which detects the XSS attacks on our application and notify the developer. It is upon the developer to act on the intrusion to block them. For a simple explanation, lets take a guest book application which takes input from users and store the same. For developing such application we need a guestbook form and a thank you page with a database connected to it.
Create a new website in your IDE and include the ids.dll in bin directory and reference the same.
Create a directory named IDS and place output_filter.xml and default_filter.xml in bin directory to make the system work.
Once it is placed, you can start your work by including dotnetids namespace into your application
Now you need to change codebehind file to inherit from SecurePage:
Partial Class _Default
After inheriting the securepage you need to add below method in your class
Public Overrides Sub IDSEventHandler(ByVal report As DOTNETIDS.Report, ByVal SecurePage As DOTNETIDS.SecurePage)
Select Case report.RequestType
For Each e As DOTNETIDS.Event In report.Events
Response.Write("Intrustion attempt: " & HttpUtility.HtmlEncode(e.Value) & " with impact " & e.Impact)
Once you had done this step your page is ready to find the intrusions.
Whenever the page is posted / retrieved from server, Dot net IDS scan the complete page for intrusions. If found it will notify the developer with an impact value and the value which is causing the intrusion attempt. If we need to have more information like which filter is triggering the impact we can change the response.write to
Response.Write("Intrustion attempt: " & HttpUtility.HtmlEncode(e.Value) & " found by " & HttpUtility.HtmlEncode(e.Filter) & " with impact " & e.Impact)
This will help us to find which filter is triggering the alarm. After this it is up to the developer to decide what can be done on the problem. The developers of dotnetids advices to use below action for intrusion attempts
impact 4 and above for logging to DB,
impact 8 and above for sending out a mail to the devs,
impact 24 and above for displaying a warning
impact 48 and above for destroying the session if user was logged in - also can increment the impact via session.
Sometimes we might require DotnetIDS to exclude some input from user. We can achieve this by using exclusions. we can use exclusions method to exclude some parts of our page from scanning.
The above code will exclude the tag named txtPosts from scanning. The latest version of Dotnetids supports excluding the complete scanoutput also. From my usage I found that dotnetids is very useful on most of the XSS attacks. Though it is a new product, it is powerful against a lot of attacks. There are people who can help you on any query. A friendly forum available for asking any question
Points of Interest
1) Dotnet IDS is just a scanner.
2) Developer must write code to block the attempt.
This article uses NETIDS version 0.1.0. There are some drawbacks in this version which was rectified in version 0.1.3. The drawback in this verison (0.1.0) is that the IDSevent will verify after the page load event is fired. This still opens the system for hacking if the developer rely on the querystrings or other objects for input in page load event (for loading a data based on the userid in query string). In this case a hacker or an intruder can still enter into the system and the damage will be done.
This was pointed out by us to the team and we had moved the IDSevent to page_init event. Kindly read the readme in the downloadable package to implement the same.
DotnetIDS : http://code.google.com/p/dotnetids/
Forums : http://forum.php-ids.org/?CategoryID=9
Usage : http://code.google.com/p/dotnetids/wiki/Usage
From using this tool for a month now i feel it is easy to implement and can take precausions against XSS. Easy to learn this code since we do not need to do much code. It is based on Regex which is lighting fast to scan any sized pages. DotNetIDS can be very effective when used in places where we normally do not use HTML tags. places like CMS pages, it can give lot of false positives.
We at http://www.bepenfriends.com started to rewrite the entire application using DotnetIDS. We are taking initiative of testing and implementing dotnetIDS wand working with them for issues. We are happy to help you in any regard.
1.0 Initial version
1.1 Updated about the orginal tool version used.