0

I got security issue in our application. I am not understanding below question, Please any one let me know, what it is and how to solve this generic issue? How to scan website with security related tools?

Thread – XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.

Ex: http://mydomain/Products.aspx?category=%22%20onEvent%3dX151232644Y1Z%20&name=Healthcare

rangarajesh
  • 5
  • 9
  • possible duplicate of [How do you avoid XSS vulnerabilities in ASP.Net (MVC)?](http://stackoverflow.com/questions/3955658/how-do-you-avoid-xss-vulnerabilities-in-asp-net-mvc) – Michael Petrotta Nov 23 '11 at 06:36
  • i am using dotnet framework 3.5 . i think these may not be useful for me. – rangarajesh Nov 23 '11 at 07:04

2 Answers2

2

OWASP goes into some great detail on the subject in their "XSS (Cross Site Scripting) Prevention Cheatsheet".

phatfingers
  • 9,770
  • 3
  • 30
  • 44
  • A simple XSS attack might involve a person e-mailing a link to your site with some parameters that exploit an XSS vulnerability allowing JavaScript and/or HTML they supply to be injected into the presented page. It looks to the user like it came from you, but may include visuals, code, or instructions introduced by the attacker. – phatfingers Nov 23 '11 at 06:51
  • There are a number of tools and online services that scan for XSS. Most of them spider your website and try posting form data crafted to try to "inject" javascript or tags that they can detect in the page. Examples include qualys.com (good support for regulatory compliance) or tenable.com (good for broad-spectrum of different types of vulnerabilities). – phatfingers Nov 23 '11 at 17:12
1

You can use AntiXSS in your web application.

Tutorials

http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx

http://msdn.microsoft.com/en-us/security/aa973814

Useful tools

Microsoft Web Protection Library http://wpl.codeplex.com/

Exploit XSS

http://msdn.microsoft.com/en-us/library/aa973813.aspx

http://www.cgisecurity.com/xss-faq.html

Basic way to prevent XSS

Input --> Anti-SQL Injection --> Store in DB --> Anti-XSS --> Output

Community
  • 1
  • 1
Peter PAD
  • 2,252
  • 1
  • 17
  • 20
  • these links related to dotnet 4.0 framework. we are using 3.5, can u explain how to scan website in terms of vulnerability. – rangarajesh Nov 23 '11 at 07:10
  • I've updated my post. Let's read and understand simple xss bug. You will find the way to prevent it. – Peter PAD Nov 23 '11 at 07:25