Click here to Skip to main content
15,945,119 members
Please Sign up or sign in to vote.
2.00/5 (1 vote)
See more:
I have page that with textbox's for first and last name.
When i test the page and update the last name with Doe%uff1cscript%uff1ealert%uff0812345%uff09%uff1c/script%uff1 using interceptor in proxy tool like BURP suite the last name gets stored as <script>alert(12345)</script> in the database.

I have tried to use Microsoft Antixss Library but that did not work. Below is the code I used:
Dim Lname As String = Microsoft.Security.Application.Encoder.HtmlEncode(txtLName.Text)

Does anyone have a suggestions one how I can prevent this?
Posted
Comments
Sergey Alexandrovich Kryukov 23-Mar-15 10:51am    
What proxy do you mean: the one used for XSS attack or the one you are hoping to use to mitigate the attack? Both kinds of things exist... :-)
You can find the example of the proxy for XSS attack, for example, here: http://xss-proxy.sourceforge.net. In fact, I think you can use it to analysis and to examine your XSS mitigation approaches...
—SA

1 solution

Please see my comment to the question, where I see some ambiguity. This article can give you some ideas: https://www.cs.ucsb.edu/~chris/research/doc/sess09_swap.pdf[^].

—SA
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900