如何保护或保护 ASP.NET MVC 免受 XSS 攻击？

Question

I'm creating a web application using the latest version of ASP.NET MVC 5.2.3. I just concern in XSS attack. I figure out in ASP.NET Core is perfectly working protecting from this attack the XSS and this framework totally amazing but it lacked third party I need to my project. Here's my concern. I already enabled the custom error too but I disabled it currently for testing.

But I want to make sure this will catch also.

1. Input Validation is passed. To avoid this exception or error.

A potentially dangerous Request.Form value was detected from the client (Name="").

using, the [AllowHtml] attribute this is fine or using the AntiXss library.

2. But, from the URL. Example URLs,

   http://localhost:54642/Employees/

    http://localhost:54642/Employees/?a=<script>

link or url

this error should like,

A potentially dangerous Request.Path value was detected from the client (<).

So my solution is enabling this from Web.config then it works!

But Troy Hunt said from his tutorial this is not a good or better practice for this error. So I decided to look the best solution from this XSS attack.

Answer 1

In my form I normally add this anti-forgery token

 @Html.AntiForgeryToken()

then on my controller I made sure validate the token

[ValidateAntiForgeryToken] 

also when passing the variable or data, I always declare correct variable. Anyways if its member area page you can always restrict access to correct member roles example like

  [Authorize] // for registered user

  or more filtered

  [Authorize(Roles = "SUBSCRIBER.VIEW")]

Below is only applicable for .net 4.5 and above

  // web.config 
  <system.Web> 
     <httpRuntime targetFramework="4.5" />
  </system.Web>

 // enabling anti-xss 
   <httpRuntime targetFramework="4.5" encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Request validation Lazy validation was introduced in ASP.NET 4.5, I just did some testing on it and it seems that lazy validation is the enabled regardless of how you set the "requestValidationMode", after you've installed the 4.5 framework.

Answer 2

Check out OWASP site. Here is the common ones I add in system.web in web.config file of a webapi app.

<httpProtocol>
  <customHeaders>
    <remove name="Server" />
    <remove name="X-Powered-By" />
    <remove name="X-Frame-Options" />
    <remove name="X-XSS-Protection" />
    <remove name="X-Content-Type-Options" />
    <remove name="Cache-Control" />
    <remove name="Pragma" />
    <remove name="Expires" />
    <remove name="Content-Security-Policy"/>
    <clear />
    <add name="X-Frame-Options" value="DENY" />
    <add name="X-XSS-Protection" value="1; mode=block"/>
    <add name="X-Content-Type-Options" value="nosniff" />
    <add name="Cache-Control" value="no-cache, no-store" />
    <add name="Pragma" value="no-cache" />
    <add name="Expires" value="Sun, 1 Jan 2017 00:00:00 UTC" />
    <add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' data; img-src https://*;"/>
  </customHeaders>
</httpProtocol>

Answer 3

Steps:
1. Disables input validation
2. Encodes all the input that is coming from the user
3. Finally we selectively replace, the encoded html with the HTML elements that we want to allow.

[HttpPost]
// Input validation is disabled, so the users can submit HTML
[ValidateInput(false)]
public ActionResult Create(Comment comment)
{
    StringBuilder sbComments = new StringBuilder();
    
    // Encode the text that is coming from comments textbox
    sbComments.Append(HttpUtility.HtmlEncode(comment.Comments));
    
    // Only decode bold and underline tags
    sbComments.Replace("&lt;b&gt;", "<b>");
    sbComments.Replace("&lt;/b&gt;", "</b>");
    sbComments.Replace("&lt;u&gt;", "<u>");
    sbComments.Replace("&lt;/u&gt;", "</u>");
    comment.Comments = sbComments.ToString();

    // HTML encode the text that is coming from name textbox
    string strEncodedName = HttpUtility.HtmlEncode(comment.Name);
    comment.Name = strEncodedName;

    if (ModelState.IsValid)
    {
        db.Comments.AddObject(comment);
        db.SaveChanges();
        return RedirectToAction("Index");
    }

    return View(comment);
}