Click here to Skip to main content
15,885,953 members
Search within:


How to prevent stored xss vulnerability for dataset in ASP.NET
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
ASP.NET
Hi Team
I am trying to prevent Stored Xss vulnarability for Sql query which is showing as high vulnerability in CheckMark.
Below is my code.

What I have tried:

C#
public DataSet GetData(string sqlQuery)
{
    OracleConnection con=new Oracle....
    OracleAdapter ad=new  OracleAdapter(sqlQuery,con);
    ad.Fill(ds);
    return ds;
}

UI code
C#
DataGrid dg=new DataGrid();
dg.DataSource = objDa.GetData(txtQuesy());
dg.Bind();
Posted
Updated 25-Sep-20 2:56am
v2
Add a Solution

1 solution

You have a higher risk vulnerability: you've written a method which will force you to write code which is vulnerable to SQL Injection[^].

You need to rewrite your GetData method to allow you to pass parameters properly, rather than stuffing them into the query itself. You should also make sure you're not accepting queries directly from the user.

To prevent XSS vulnerabilities, you need to properly encode any output depending on where it is being displayed. For example, if you're displaying it as part of the HTML markup, you need to HTML encode it.

Many WebForms controls have properties which will let you specify that their output should be encoded. For example:
BoundField.HtmlEncode Property (System.Web.UI.WebControls) | Microsoft Docs[^]
Literal.Mode Property (System.Web.UI.WebControls) | Microsoft Docs[^]

So long as you use these properties correctly, and never output unencoded data which could be controlled or affected by the user, you should avoid any XSS vulnerabilities.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
 
Share this answer
 
Posted
Comments
DGKumar 28-Sep-20 6:22am    
Hi Richard,
Even though if I am using the parameterized query also while getting data from db and trying to store in DataGrid DataSorce checkmark is displaying the data source data is not sanitized.
dg.DataSource = ds;

ds rows data should santized. how to do that i could not find out the solution.
Richard Deeming 28-Sep-20 6:39am    
The DataGrid[^] control is an older control which didn't have support for automatically encoding the output.

You should look at switching to the GridView[^] control, and setting the HtmlEncode[^] property on the BoundField columns.

If you stick with the DataGrid, you'll need to switch to using a TemplateColumn[^], and use a bound Literal within the item template with the correct Mode value set to ensure that the output is HTML-encoded.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to prevent reflected xss attack for viewstate in ASP.NET
How to prevent url vulnerability in ASP.NET
How to prevent the dataset or datatable while binding gridview from xss attacks?
need code about Sql injection and XSS vulnerability
Prevent XSS attack in hyperlink?
How can I block Cross-site Scripting (XSS) through interceptor in proxy tool in ASP.Net
cross-site scripting vulnerability
stealing cookie with xss
How to prevent cross site history manipulation vulnerability in ASP.NET web forms?
How to secure PHP from XSS attack - filter sanitizers not working

Advertise
Privacy
Cookies
Terms of Use
Last Updated 25 Sep 2020
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900