Cross-site scripting (XSS) Attack and Defense in ASP. NET development practices

XSS Overview
Cross-site Scripting is one of the most popular Web security vulnerabilities.
Malicious attackers insert malicious HTML into web pages CodeWhen a user browses this page, the HTML code embedded in the Web is executed again to achieve evil.

It is intended to attack users for special purposes.
XSS is a passive attack, because it is passive and not easy to use, so many people often ignore its dangers.

Cause
Over-trust client data
Over-confidence in the security capabilities of Dynamic Web technologies
Insufficient Server Security Settings
Users trust all the connections on the website too much
Insufficient security for cookies

Principles and hazards
Attackers can access sensitive data by entering special HTML, JavaScript, and CSS code.
Change the structure or content of the target webpage by injecting a string containing special content
Attackers can upload special files to obtain high-level server permissions or damage server systems and data.
Use the social engineering principle to trick users into accessing or clicking a webpage or connection containing malicious code to conduct bad behaviors.

Httputility. htmlencode ();

Defense Against XSS attacks
Monitors all codes that generate dynamic web pages through user input for Security Vulnerabilities
Monitors whether insecure information exists in user input data (Form, cookies, request. querystring)
Cookies are used for Security Processing (for example, binding Mac and IP addresses)
Limit the length of input data
Encode the output to filter out special characters
Httputility. htmlencode
Antixss. htmlencode
Do not use the string type if possible.