Click here to Skip to main content
14,969,930 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I have already developed web application in asp.net c#.
we also put setting validateRequest to true, this validates the scripts and html tags(<script>,<p>) from injecting. but using Burp suit we can insert data like "%uFF1Cscript%uFF1Ealert%28%u2018XSS%u2019%29%3B%uFF1C/script%uFF1E" how to validate these types of attack in some global level settings.


What I have tried:

we tried in webconfig like-

<globalization requestEncoding="utf-8"/>

 <add name="X-Xss-Protection" value="1; mode=block" />
      <add name="X-Content-Type-Options" value="nosniff" />
      <add name="Content-Security-Policy" value="default-src 'self' , 'unsafe inline' etc...;" />
      <add name="X-Frame-Options" value="SAMEORIGIN" />
      <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
Posted
Comments
F-ES Sitecore 20-Mar-18 10:26am
   
Sanitise things by Html Encoding them before you output them to the response stream. If you've written a website and are now looking to secure it as an after thought then change how you write websites.
Vishal S. Kumbhar 20-Mar-18 10:32am
   
Yes I can change now. but i'm stuck in this. so if you have any solution then suggest me.
Kornfeld Eliyahu Peter 20-Mar-18 13:40pm
   
As 'validateRequest' handles a lot of scenarios you should add details about the way you hacked yourself with Burp... It would help...
In any case - if it is possible you should encode every bit of data coming from the client just before saving it to the DB...
Vishal S. Kumbhar 20-Mar-18 14:18pm
   
Same scenario explained here --
https://support.portswigger.net/customer/portal/articles/2325935-Methodology_Attacking%20Users_XSS_Exploiting%20XSS%20-%20Injecting%20into%20Direct%20HTML.html
but instead of injecting script tags we are encoded string line "%uFF1Cscript%uFF1Ealert%28%u2018XSS%u2019%29%3B%uFF1C/script%uFF1E" for alert('XSS');

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900