They’re watching you – you know that? They’ve been scoping out your site for quite some time, looking at ways to screw with you and your site.
All right, you think your code is secure, eh? Got the latest handy-dandy encryption on your stuff, all up to snuff on your patches and service packs. But you know what? You’re making a critical blunder on your site, and you might not even know it.
If you’re taking information passed in on a Querystring and then you Response.Write it out on the page, uh-oh brother, you’ve got problems… You’re ripe for the picking with Cross Site Scripting. Unless you already know where I’m going with this, read on.
Say you’re passing a user’s first name around from one page to another and then are displaying that Querystring value on the page with a Response.Write, you’re setting yourself up for disaster! Look at this innocent Querystring:
-==-
You’re trying to make poor Lumpy’s user experience a little brighter, so you’re being nice and executing the following code:
-==-
When you run this code you get the following output:
Hello Lumpy
Here’s a look at the QueryString that would produce the “Hello Lumpy” output:
-==-
But if were the evil Eddie, I’d snake a little bit of JavaScript in on you when you weren’t looking!
-==-
Guess what? If you paste this into your URL, the browser will popup a nice little box telling you “beotch”, er, whatever that means!
How in the world did this happen? Oh MY! Any code you execute in JavaScript can be piped into your site using the Cross Site Scripting vulnerability.
Check out this URL…
-==-
Ok, yeah. Now it’s getting scary… But uh, so what? I mean, who cares if I can paste in JavaScript onto someone’s site Oooh wow. Now wait a minute, check out this next line… It’ll make you think.
-==-
I send someone a seemingly valid link to a URL, and in fact, maybe they DO make it to the site, but they also get something else… the nasty little JavaScript I’ve embedded in the link… Pretty bad, eh? Think about someone sending around your URL and the next thing the end user knows is that they are face-to-face with a bizarre picture depicting various unmentionables and bids for online casinos… You get the idea. Something you don’t want your Grandma to see when she’s expecting pictures of little Johnny…
So, how do you prevent Cross Site Scripting? Heh heh, I thought you’d never ask!
First off, let’s get a couple of things straight – be smart, not stupid. Follow some simple rules:
1.) If you’re expecting a particular type of data, check to ensure that it is what you’re expecting.
2.) Check the length – if you expect a fName of only 25 characters, chop extra characters off and drop em. Don’t give evil Eddie any sort of chance to do a lot of damage.
3.) Look for non-valid characters – Like or the ubiquitous ; – Don’t just take what you get from the Querystring, question all of your input. Trust no one. Really.
Ok, here’s a smidget of code for you to scope out – obviously, you’ll want to flesh this out to fit your particular site:
-==-
This isn’t Rocket Science – it’s pretty easy in concept. All I’m doing is trying a NOT match against the numbers 0-9 and valid letters a-z and A-Z. Anything else is verboten – forbidden. You can then redirect your malicious end user who was trying to pass in the ol script tags.
Try this the next time you want to check up on Lumpy:
-==-
Notice that if the end user does try to pass anything other than a number or an alpha, they get told off with a Response.Write(“Hello… JERK”);
Be careful of Cross Site Scripting – It’s a serious problem that can be dealt with easily – and remember, when it comes to user input – you can NEVER be too paranoid… even if they are watching you.
Tiberius OsBurn is a freelance technology author and speaker based in Omaha,
Nebraska. His book, “Hardcore Development”, will be released in the summer
of 2003. Mr. OsBurn has extensive experience in VB, VB.NET, C#, SQL Server,
ASP.NET and various other web technologies. Be sure to visit his site,
http://www.tiberi.us, for his latest articles of interest to .NET developers.
