Geek Answers Handbook

Javascript Introduction Questions

I read on the asp.net mvc training site about introducing JavaScript, and the person became an eye opener.

I didn’t even realize / thought that someone was using JavaScript to make some strange orange injection attacks.

However, he left me with some unanswered questions.

First

When do you use html.encode? How do you use it only when you are going to display the information that this user or some other user has sent?

Or I use it for everything. As if I have a form that the user submits, this information will never be displayed to any of the users, should I still use html.encode?

How would I do this, as if I'm not sure how to embed the html.encode tag inside say and html.TextBox ().

Second

What will happen, I will say that I have a rich html editor on my site. The user has the right to use it and make things bold and any. Now I want to display information to the user through the label. I can’t Html.Encode it since then all bold and stuff will not be displayed.

But I can’t leave it the way it was, since this can prevent the user from adding some Javascript attack?

So what would I do? Use Regex to filter all tags?

Third

Is there another tag you can use called "AntiforgeryToken" when you use it?

thanks

Edit

Almost everyone says that they use the White List and Black List, how would I write this list and compare it with incoming values ​​(examples in C # would be good)?

+4
source share
4 answers

Good question!

  • For the first answer, I will review here on the previous question asked. As the discussion says, using HTML Encode will not fully protect you from all XSS attacks. To help with this, you should consider using the Microsoft Web Protection Library ( AntiXSS in particular), available from Microsoft.

  • As already mentioned, using a list of valid tags is the best thing to do, leaving others to delete.

  • The AntiforgeryToken token works to prevent request forgery (CSRF) because it gives the user a cookie that is validated against the form field when the page is submitted. There is no reason that I know that this means that you cannot use it in all its forms.

+2
source

Use HTML Encode for any display data that has been submitted by the user. You do not need to use it when sending to the database, otherwise you will receive odd data, such as: Simon '&' Sons. In fact, I do not see any harm to use it on any content written on the page dynamically.

Use the list of allowed tags and discard everything else for your HTML editor. As people say, use the whitelist.

The third is designed to prevent a fake request attack attack . You use this so that people cannot do POST using a "stolen" cookie from the user. Thus, you can require an authenticated cookie before accepting the message, but an attacker can accept this cookie when a user visits their site and then submits a form to your site claiming to be it.

See here: http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx

How to use it: http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

+2
source

Always check the input received from the whitelist. If you are using a blacklist, you might possibly encounter encoding issues. When checking input, always use the whitelist.

Do not rely on client side validation to validate user input. Client-side validation is great for helping the user enter the correct data. But the attacker will not use this and can bypass the client-side check. Client-side validation should never be considered a security fix. Using javascript to validate input should not be used. As you can see, javascript is very easy to modify and modify on any html page. You can also disable JavaScript in the browser. Therefore, give additional verification in the code behind the file.

Additionally, check the input every time, and not just when the data is initially received. For example, if you set a cookie, make sure that the cookie has the same value and that it matches each request. An attacker can modify and change the value at any time during a session.

+1
source

There are various levels of security that can be implemented based on the design considerations of your application.

I would go with the following basic rules:

  • Sanitize all input by removing known malicious sections (for example, <script> tags in a rich HTML editor). Regular expression pattern matching is commonly used for such disinfection.

  • Remove any input that is not in your whitelist.

  • Encode any HTML before saving it to the database and decode it back when it is extracted for display.

Edit : @ Phoenix talks about validation in this context, so I decided to add this. I have already spoken about this before, and I repeat: I am not against script-based validation. I only caution people not to rely on this directly. A common design pattern is to verify the basic criteria using script-based validation and to provide strong server-side validation when sending this data.

+1
source

More articles:


All Articles