cross-site scripting vulnerability

Question

0.00/5 (No votes)

See more:

How to prevent cross-site scripting security issues which returned in app scan as high vulnerability.
See the scan result below:

SQL

Entity: Parameter:ctl00$ContentPlaceHolder1$TabContainer1$TabPanel3$txtSearches
Risk(s): It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,
allowing the hacker to view or alter user records, and to perform transactions as that user
Fix: Filter out hazardous characters from user input

VB

ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanel3%24txtSearches=1234"/>%uff1cscript%uff1ealert%uff081312%uff09%uff1c/script%uff1e

After got the scan result I added regular expression validation to txtSearches textbox to block non-alphanumeric inputs and rescaned the application but again returned the same vulnerability.

Posted 10-Dec-13 8:22am

prasy123

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

thatraja · Answer 1 · 2013-12-11T00:11:00

Relevant code/elements could be better to spot the issue. I think input going from some other way instead of that textbox.

There's a lot about this topic, check these articles
SQL Injection and Cross-Site Scripting[^]
Cross site scripting: Common threats in web applications[^]
An Absolute Beginner's Tutorial on Cross Site Scripting(XSS) Prevention in ASP.NET[^]

Also check these too
ASP.NET web application security review: Do's & Don'ts[^]
Security: It’s Getting Worse[^] - Great reading with more than bunch of stuff.