Cross-site scripting (XSS) Attack and Defense in ASP. NET development practices

Source: Internet
Author: User
XSS Overview
Cross-site Scripting is one of the most popular Web security vulnerabilities.
Malicious attackers insert malicious HTML into web pages CodeWhen a user browses this page, the HTML code embedded in the Web is executed again to achieve evil.

It is intended to attack users for special purposes.
XSS is a passive attack, because it is passive and not easy to use, so many people often ignore its dangers.

Cause
Over-trust client data
Over-confidence in the security capabilities of Dynamic Web technologies
Insufficient Server Security Settings
Users trust all the connections on the website too much
Insufficient security for cookies

Principles and hazards
Attackers can access sensitive data by entering special HTML, JavaScript, and CSS code.
Change the structure or content of the target webpage by injecting a string containing special content
Attackers can upload special files to obtain high-level server permissions or damage server systems and data.
Use the social engineering principle to trick users into accessing or clicking a webpage or connection containing malicious code to conduct bad behaviors.

Httputility. htmlencode ();

Defense Against XSS attacks
Monitors all codes that generate dynamic web pages through user input for Security Vulnerabilities
Monitors whether insecure information exists in user input data (Form, cookies, request. querystring)
Cookies are used for Security Processing (for example, binding Mac and IP addresses)
Limit the length of input data
Encode the output to filter out special characters
Httputility. htmlencode
Antixss. htmlencode
Do not use the string type if possible.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.