Click here to Skip to main content
15,885,309 members
Search within:


Articles / Web Development / ASP.NET
 

SQL Injection and Cross-Site Scripting

Rate me:
Please Sign up or sign in to vote.
4.92/5 (144 votes)
17 Apr 2017CPOL14 min read 499.4K   3.9K   317  
An article on SQL Injection and Cross-Site Scripting with sample code in C#.
 
<%@ Page Title="" Language="C#" MasterPageFile="~/MasterPage.master" AutoEventWireup="true" CodeFile="JavaScriptFunctionInjection.aspx.cs" Inherits="JavaScriptFunctionInjection" %>

<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
    <style type="text/css">
        #Text1
        {
            width: 300px;
        }
        #Text2
        {
            width: 300px;
        }
    </style>
</asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
<div>

<p>JavaScript Event injection to Client side control with <br /> 
    ASP.NET Inline tag &lt;%= ... %&gt;, with single quote and quote </p>
   <label for="Text1">Inject JavaScript Event in '&lt;%= HERE %&gt;': </label>
    <input id="Text1" name="Text1" type="text" value='<%= sValue %>'  />
    
   <asp:Button ID="Button2" runat="server" Text="Submit" 
    CommandArgument="single" OnCommand="Button2_Click" />
    <p>
    Sample 1 input: <br />
    a'onblur=window.location='http://www.yahoo.com' ' <br />
     a' onchange=alert("gotcha+onchange") '<br />
     a' onblur=alert("gotcha+onblur") '<br />
     a' onselect=alert("gotcha+onselect") '<br />
     a' onKeyDown=alert("gotcha+onKeyDown") '<br />
     a' onKeyPress=alert("gotcha+onKeyPress") '<br />
     a' onKeyUp=alert("gotcha+onKeyUp") '<br />
    </p>
   <br />
   <label for="Text2">Inject JavaScript Event in "&lt;%= HERE %&gt;" :</label>
    <input id="Text2" name="Text2" type="text" value="<%= sValue %>" />
    <asp:Button ID="Button1" runat="server" Text="Submit" 
        CommandArgument="quote" OnCommand="Button2_Click" />
   <br />
   
       <p>
    Sample 2 input: <br />
    a" onblur=window.location='http://www.yahoo.com' " <br />
     a" onchange=alert('gotcha+onchange') "<br />
     a" onblur=alert('gotcha+onblur') "<br />
     a" onselect=alert('gotcha+onselect') "<br />
     a" onKeyDown=alert('gotcha+onKeyDown') "<br />
     a" onKeyPress=alert('gotcha+onKeyPress') "<br />
     a" onKeyUp=alert('gotcha+onKeyUp') "<br />
    </p>
    
    <br />
    
    
</div>
     
     
</asp:Content>

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Bryian Tan
Software Developer (Senior)
United States United States
I have over 10 years of experience working with Microsoft technologies. I have earned my Microsoft Certified Technology Specialist (MCTS) certification. I'm a highly motivated self-starter with an aptitude for learning new skills quickly.

Comments and Discussions

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 16 Aug 2010

Article Copyright 2010 by Bryian Tan
Everything else Copyright © CodeProject, 1999-2024

Web04 2.8:2024-04-02:1