Click here to Skip to main content
15,436,765 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi Team,
I have ViewState with data and ready to store into Gridview.
How to prevent the xss attack to gridview data?

DataSet ds = (DataSet)ViewState["GridData"];
GV.DataSource = ds;

What I have tried:

I have tried with ViewStateEnabled = true and ViewStateEncryption = always.
But still I am getting checkmarx reflected xss not resolved.
Could you please assist on this type of issue that how to fix.
Updated 15-Sep-20 2:06am
F-ES Sitecore 15-Sep-20 7:31am    
It's probably just complaining as you're using a resource that has come from the client without any kind of encoding. The issue is how you show the data in your gridview, you have to make sure that isn't susceptible to xss attacks, but if you have viewstate MAC encryption on I wouldn't worry, I'd just disable the warning for that section of code.

1 solution

You also want to sign your ViewState with the current user session and prevent the ViewState from being passed in on the query string to block what some refer to as a one-click attack

Preventing One click attack:
void Page_Init(object sender, EventArgs e)
  if (Session.IsNewSession)
    // Force session to be created;
    // otherwise the session ID changes on every request.
    Session["ForceSession"] = DateTime.Now;
  // 'Sign' the viewstate with the current session.
  this.ViewStateUserKey = Session.SessionID;
  if (Page.EnableViewState)
    // Make sure ViewState wasn't passed on the querystring.
    // This helps prevent one-click attacks.
    if (!string.IsNullOrEmpty(Request.Params["__VIEWSTATE"]) &&
      throw new Exception("Viewstate existed, but not on the form.");

Refer: ASP.NET Security - Securing Your ASP.NET Applications | Microsoft Docs[^]
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900