ASP. NET primary Web principles XSS Vulnerability

1.XSS (Cross-site Scripting) cross-site scripting attack is the most common vulnerability in Web applications. When an attacker embeds a client script (such as JavaScript) in a Web page, the script executes on the user's browser when the user browses the page, thus achieving the attacker's purpose, such as obtaining a user's cookie, navigating to a malicious website, carrying a Trojan horse, and so on.

2. dom-based XSS Vulnerability threatens user individual

Stored xss (stored XSS vulnerability) threatens to be a large number of users

The data of the requested object is checked by default in 3.asp, and an error is made if the data contains characters with potential XSS attacks. For some CMS system and so on really need to submit HTML content to close it, at the top of the page to add validaterequest= "false" this property.

4. If you need to htmlencode the content before it is displayed, In addition to using Httputility.htmlencode for manual coding, you can also use the literal control to show that if you modify the literal mode property to encode then it will be automatically htmlencode and then displayed.

5.XSS Bug fix

Don't trust data submitted by users.

Note: The attack code is not necessarily in <script></script>

1. Mark the important cookie as HTTP only so that the Document.cookie statement in JavaScript cannot get the cookie.
2. Only allow users to enter the data we expect. For example: In a TextBox of age, only users are allowed to enter numbers. and the characters outside the numbers are filtered out.
3. HTML Encode Processing of data
4. Filter or remove special HTML tags such as: <script>, <iframe>, &lt; for <, &gt; For &quot;
5. Filters the tags of javascript events. such as "onclick=", "onfocus" and so on.