XSS and How to prevent XSS attack in ASP.NET MVC

Introduction to XSS

           There are some specific threats we will face. One popular attack of this phase is Cross Site scripting attack or XSS. In Cross scripting attack the malicious user will try to have your website load a malicious script in to the user’s browser. It could be a malicious script, active-x control and even some malicious html. The malicious scripts can theft the cookie, Modify user settings, Download Malware, Modify content. One of the worst cross site script attack is Account Hijacking; the malicious users can access the user’s credentials and personal information.


Once this happen, your users become vulnerable to any number of problems. 



This is a simple application for saving employee information. Let I am putting some html tag like I am from <em>India</em> and then I try to save this , ASP.NET automatically reject this request to prevent Cross site scripting attack because the ASP.NET is going to look for anything that resembles the html and just reject the request. Actually there is no wrong with the emphasis tag but ASP.NET is not trying to make a distinction here anything that looks like html is going to be rejected.


Sometimes user need to upload some html in to the server then there are always circumvents this request validation. You have to extremely careful. One option is put ValidationInput attribute to the destiny here in Create action.


So you can successfully process this request


              Now we can have a problem that html encoded here this is because razor is going to encode everything by default which is good. There is another defense against the cross site scripting and we can fix that easily however the validate input false is completely disabling the check for cross site scripting malicious html and really we only need html inside of one specific property. So you can allow html to one property using AllowHtml attribute. Also some changes need to be done, remove ValidateInput attribute from the Create action and also make sure that we should pass EmployeeViewModel class as action parameter that means model binding will takes place will move the html in to that property. Also one change in the view to show the html without encoding by putting ViewData in Html.Raw helper.


And then again going to save one more and display the ViewData in the same view contain html tag.


Hope you are enjoying my article…In the next i had explained about Anti XSS Library




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s