One of the common types of security attacks on web-based systems (both intranet and internet) is cross-site scripting. It is a technique that allows hackers to perform one of the following things.
- Execute malicious script in a client’s web browser.
- Insert script, object, applet, form and embed tags.
- Steal web session information and authentication cookies.
- Access the client computer.
Scenario - Any web page that allows user to enter data in fields is susceptible.
How to defend against cross-site scripting attacks?
- Validate user input. Do not trust any input as valid unless proven otherwise.
- Do not echo back data entered by a user unless you have validated it.
- Do not store secret information in cookies. Secret information includes any and all data item that uniquely identifies a person, credit card number, etc. If you had to store secret information in a session cookie, encrypt the cookie.
- Use HttpOnly cookie option.
- Use the security attribute.
- Take advantage of ASP.NET features, such as ValidateRequest Page attribute.
- Use HtmlEncode and UrlEncode where appropriate.