Click here to Skip to main content
Click here to Skip to main content

Power yourself against XSS

, 7 Aug 2007
Rate this:
Please Sign up or sign in to vote.
XSS gaining popularity to hack into websites. This article describes how to power yourself against XSS
Screenshot - sample.jpg

Introduction

Can you protect your .Net application pages from XSS by disabling tag validationrequest=false. For web 2.0 (user generated content) websites we need to allow users to enter some tags which are dangerous and also open the world to exploit our application. We cannot enable the default validationrequest. So how can we protect ourselves from those dangerous exploits?

One way to block exploits using the dangerous tags is by filtering them. But there are too many ways to hack into the system. Some ways are not even dangerous while filtering but it can create a very large scale attack in application. One such tag is as below

guestbook.aspx?MainID=-1%20union%20select%201,2,3,4,5,usertitle,7,8,9,10,11,12,13%20from%20Member%20where%20Memberid%20=1/*

The above code is an SQL injection which might bring out the data about root or admin user. Can we filter this out by our methods? Surely we cannot, because this might be a proper SQL posted by some user in forums. So how can we protect from these kind of attacks

IDS – Intrusion Detection System

IDS is used to detect and block the dangerous traffic to our website. Mostly we have some honeypots which will trap the hackers and make them to look for false information and block them. Imagine IDS for .Net application. How about scanning the user data using IDS methodologies? This article will say about an IDS developed by some white hat security experts.

Welcome to the world of Dotnet IDS.

Dotnet IDS is .Net way of PHP-IDS developed by some security experts. You can have a copy of dotnet-IDS at http://code.google.com/p/dotnetids/ which is the homepage for this project. This tool is capable of detecting on attacks on web applications and gives the developer the possibility to react. This tool acts as a first defense against XSS attacks in your website.

Using the code

First we need to know that it is just a security layer which detects the XSS attacks on our application and notify the developer. It is upon the developer to act on the intrusion to block them. For a simple explanation, lets take a guest book application which takes input from users and store the same. For developing such application we need a guestbook form and a thank you page with a database connected to it.

Create a new website in your IDE and include the ids.dll in bin directory and reference the same.
Create a directory named IDS and place output_filter.xml and default_filter.xml in bin directory to make the system work.

Once it is placed, you can start your work by including dotnetids namespace into your application

[Vb.net]
Imports DOTNETIDS

Now you need to change codebehind file to inherit from SecurePage:

[Vb.net]
Partial Class _Default
    Inherits DOTNETIDS.SecurePage


After inheriting the securepage you need to add below method in your class

[VB.NET]

Public Overrides Sub IDSEventHandler(ByVal report As DOTNETIDS.Report, ByVal SecurePage As DOTNETIDS.SecurePage)
        Select Case report.RequestType
            Case DOTNETIDS.RequestType.Output
                WriteResponse()
                Exit Select
            Case Else
                For Each e As DOTNETIDS.Event In report.Events
                    Response.Write("Intrustion attempt: " & HttpUtility.HtmlEncode(e.Value) & " with impact " & e.Impact)
                Next
                Exit Select
        End Select
    End Sub


Once you had done this step your page is ready to find the intrusions.

Whenever the page is posted / retrieved from server, Dot net IDS scan the complete page for intrusions. If found it will notify the developer with an impact value and the value which is causing the intrusion attempt. If we need to have more information like which filter is triggering the impact we can change the response.write to

[VB.NET]

Response.Write("Intrustion attempt: " & HttpUtility.HtmlEncode(e.Value) & " found by " & HttpUtility.HtmlEncode(e.Filter) & " with impact " & e.Impact)

This will help us to find which filter is triggering the alarm. After this it is up to the developer to decide what can be done on the problem. The developers of dotnetids advices to use below action for intrusion attempts

impact 4 and above for logging to DB,
impact 8 and above for sending out a mail to the devs,
impact 24 and above for displaying a warning
impact 48 and above for destroying the session if user was logged in - also can increment the impact via session.

Exclusions:

Sometimes we might require DotnetIDS to exclude some input from user. We can achieve this by using exclusions. we can use exclusions method to exclude some parts of our page from scanning.
vb.net

    Exclusions.Add("txtPosts")

The above code will exclude the tag named txtPosts from scanning. The latest version of Dotnetids supports excluding the complete scanoutput also. From my usage I found that dotnetids is very useful on most of the XSS attacks. Though it is a new product, it is powerful against a lot of attacks. There are people who can help you on any query. A friendly forum available for asking any question

Points of Interest

1) Dotnet IDS is just a scanner.
2) Developer must write code to block the attempt.

Important Notes

This article uses NETIDS version 0.1.0. There are some drawbacks in this version which was rectified in version 0.1.3. The drawback in this verison (0.1.0) is that the IDSevent will verify after the page load event is fired. This still opens the system for hacking if the developer rely on the querystrings or other objects for input in page load event (for loading a data based on the userid in query string). In this case a hacker or an intruder can still enter into the system and the damage will be done.

This was pointed out by us to the team and we had moved the IDSevent to page_init event. Kindly read the readme in the downloadable package to implement the same.

Useful links

DotnetIDS : http://code.google.com/p/dotnetids/
Forums : http://forum.php-ids.org/?CategoryID=9
Usage : http://code.google.com/p/dotnetids/wiki/Usage

From using this tool for a month now i feel it is easy to implement and can take precausions against XSS. Easy to learn this code since we do not need to do much code. It is based on Regex which is lighting fast to scan any sized pages. DotNetIDS can be very effective when used in places where we normally do not use HTML tags. places like CMS pages, it can give lot of false positives.

We at http://www.bepenfriends.com started to rewrite the entire application using DotnetIDS. We are taking initiative of testing and implementing dotnetIDS wand working with them for issues. We are happy to help you in any regard.

History

1.0 Initial version
1.1 Updated about the orginal tool version used.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

albert arul prakash
Web Developer
India India
I am a ASP, ASP.net programmer who is involved with development of websites for http://www.indiansinc.com a web designing and development company. I work as an ASP.net developer and my personal interest revolves around cricket, football, music, movies, computers, R&D

Comments and Discussions

 
QuestionError PinmemberAligholami7715-Aug-07 1:51 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web04 | 2.8.140721.1 | Last Updated 8 Aug 2007
Article Copyright 2007 by albert arul prakash
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid