Tuesday, August 12, 2014

Cross-Site Scripting Attack in MVC4

Cross-Site Scripting Attack in MVC4




In this article we will explore Cross-Site Scripting in an MVC application. In general this is the most dangerous threat by hackers.

Cross-Site Scripting is a kind of security feat. An attacker inserts malicious code into a web page or a storage database. XSS in itself is a threat that is brought by the internet security weaknesses of client-side scripting languages.
There are certain scenarios where it could fit like: If an attacker posts a malicious script that he can cause the browser to execute, this script is executed in the context of the victim's session, essentially enabling the attacker to do anything he wants to the DOM, including showing fake login dialogs or stealing a cookie.
There could be various ways to inject malicious code such as:

  • Malicious Attack with login Dialog
  • Vulnerable code segment inserted
  • Query String Message
  • HTML markup Passed in TextBox

Here I have created a MVC application and tried to insert some encoded HTML as shown in the image below.
Kindly hit the following URL : http://localhost:64175/Xss/Create

As soon as I click on the create button it shows in yellow an error screen as depicted in the image below:

MVC is smart enough to deal with such threats and prevents cross site attacks, this is one advantage of MVC because in case you forgot to handle this.
In case you want the user to submit HTML markups in the address then you can disable this prevention using [ValidateInput(false)].

This allows you to store values to the database using Entity Framework.
Now the output will be like this due to by default Razor will encode the HTML markups.

To convert HTML encoded to markup use the @Html.Raw helper method. Refer to the image shown below.

Now the output will be like this. Hit the following URL: http://localhost:64175/Xss/EmpDetails

Until here we have almost disabled all the security points and are about to enter a highly vulnerable string and a possible way to hack a document cookie and alert.

<img onmouseover=alert(1) src="/Images/Clickme.jpg" onmouseout=alert(document.cookie) >

As soon as you click it prompts you with an alert as shown below:

To prevent this use the Microsoft Anti-Cross Site Scripting Library (AntiXSS) and set it as your default HTML encoder.
How do you prevent XSS? Use of the following rules strictly will help prevent most if not all XSS attacks in your application:

  1. Ensure all of your output is HTML-encoded.
  2. Don't allow user-supplied text to end up in any HTML element attribute string.
  3. Prevent the use of Internet Explorer 6 by your application by checking Request.Browser as outlined at msdn.microsoft.com/library/3yekbd5b.
  4. Understand your control's behaviour and whether it HTML encodes its output. If it doesn't, encode the data going to the control.
  5. Use the Microsoft Anti-Cross Site Scripting Library (AntiXSS) and set it as your default HTML encoder.
  6. Use the AntiXSS Sanitizer object (this library is a separate download and is addressed later in this article) to call GetSafeHtml or GetSafeHtmlFragment before saving HTML data to the database; don't encode the data before saving.

Kindly find a source code for XSS. You can also visit DotnetPiper.com to understand more about MVC and jQuery.
Note: select all SimpleMemberShip and unzip into single Extract to SimpleMemberShip.
Please replace the packages and bin folder to SimpleMemberShip after unzipping. Refer to the image below:

Download code from here

Cross-Site Scripting Attack in MVC4

To learn more about MVC please go to the following link.
MVC Articles


Enjoy Coding and ReadingSmile

1 comment :