Click here to Skip to main content
15,936,337 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
How to prevent cross-site scripting security issues which returned in app scan as high vulnerability.
See the scan result below:
SQL
Entity: Parameter:ctl00$ContentPlaceHolder1$TabContainer1$TabPanel3$txtSearches
Risk(s): It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,
allowing the hacker to view or alter user records, and to perform transactions as that user
Fix: Filter out hazardous characters from user input


VB
ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanel3%24txtSearches=1234"/>%uff1cscript%uff1ealert%uff081312%uff09%uff1c/script%uff1e


After got the scan result I added regular expression validation to txtSearches textbox to block non-alphanumeric inputs and rescaned the application but again returned the same vulnerability.
Posted

1 solution

Relevant code/elements could be better to spot the issue. I think input going from some other way instead of that textbox.

There's a lot about this topic, check these articles
SQL Injection and Cross-Site Scripting[^]
Cross site scripting: Common threats in web applications[^]
An Absolute Beginner's Tutorial on Cross Site Scripting(XSS) Prevention in ASP.NET[^]

Also check these too
ASP.NET web application security review: Do's & Don'ts[^]
Security: It’s Getting Worse[^] - Great reading with more than bunch of stuff.
 
Share this answer
 
Comments
prasy123 11-Dec-13 13:36pm    
Thanks thatraja..

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900