Preventing XSS in ASP.Net Webforms: why is Validate Request not enough?

security xss webforms
12,072

Yes Microsoft recommends that you don't rely on Validate Request because

Only you can define what represents good input for your application.

I recommend you read How To: Prevent Cross-Site Scripting in ASP.NET guideline. This is possibly the best thing I have read from Microsoft on the topic of XSS.

Another thing you can use to sanitize input is Microsoft Web Protection Library. It is easy to integrate it into existing applications and this is a quite mature project I personally rely on.

Share:
12,072
mkorman
Author by

mkorman

I work at NewVoiceMedia, a UK-based startup, and do advanced integration between C# and Salesforce. When I'm not coding unit tests, or reading any kind of ebook that comes my way, I'm outdoors, working on my fitness or kitesurfing it if the winds are good. In 2015 I became a remote worker and work between Spain and the UK. I recently started blogging (at https://blog.mkorman.uk/ ) about topics such as Salesforce, C#, remote working and technical leadership. I've recently become a Salesforce certified administrator, and I'm presently working on a developer certification.

Updated on June 07, 2022

Comments

  • mkorman
    mkorman almost 2 years

    I'm looking for ways to protect our website from XSS attacks. At this point I am concerned about sanitizing/protecting the input only. I am aware of the need to encode the output, but that's out of the scope of this question.

    A few things to bear in mind:

    • My web does not accept user-generated HTML at all.
    • I have Validate Request set to true.

    I know that Microsoft recommends not to rely on on Validate Request exclusively. However, I'd like to know why. Embarking on an input sanitization project will involve a fair amount of time and money which I need to justify to the business.

    I have been researching into actual examples of how to attack the Validate Request protection. All I have come up with is this. However, I have been unable to reproduce it on my site.

  • mkorman
    mkorman almost 11 years
    Thanks for the answer and the link. I was aware of the 'AntiXss' library as well. It's just a question of estimating actual effort vs cost so I can justify it to the business. That's why I needed a bit more information as to why Validate Request is not enough.
  • Alexander Manekovskiy
    Alexander Manekovskiy almost 11 years
    @mkorman no one will tell you exactly why you cannot rely on this standard ASP.NET feature, because answer on this question depends on context where you want to use it. It is up to you to decide if you need or don't need additional input validation.
  • mkorman
    mkorman almost 11 years
    Fair enough. I would then rephrase my question to "when is Validate Request enough and when is it not?". Microsoft's statement seems to indicate that it is never enough, which means that context is irrelevant.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Client Cross Frame Scripting Attack resolution
Hacking training simulator
Alternative to using c:out to prevent XSS
xss bypassing angle brackets and double quotes escaping
How to perform output encoding using filter to prevent XSS?
Simple CSRF protection using nginx alone
Javascript XSS Prevention
Sanitizing HTML input value
Why is Cloudfront loading scripts in my web app? (I don't use it)
Is it possible for a XSS attack to obtain HttpOnly cookies?