How to prevent Cross Site Scripting Attacks

One of the common types of security attacks on web-based systems (both intranet and internet) is cross-site scripting. It is a technique that allows hackers to perform one of the following things.
  1. Execute malicious script in a client’s web browser.
  2. Insert script, object, applet, form and embed tags.
  3. Steal web session information and authentication cookies.
  4. Access the client computer.

Scenario - Any web page that allows user to enter data in fields is susceptible.

How to defend against cross-site scripting attacks?
  1. Validate user input. Do not trust any input as valid unless proven otherwise.
  2. Do not echo back data entered by a user unless you have validated it.
  3. Do not store secret information in cookies. Secret information includes any and all data item that uniquely identifies a person, credit card number, etc. If you had to store secret information in a session cookie, encrypt the cookie.
  4. Use HttpOnly cookie option.
  5. Use the security attribute.
  6. Take advantage of ASP.NET features, such as ValidateRequest Page attribute.
  7. Use HtmlEncode and UrlEncode where appropriate.

No comments:


Powered by Blogger.