My ajax call to my .asmx web service succeeds when I send a json object with <script> tag embedded to it. Is there a way of validating the request in such a senario? What is the best way of avoiding XSS in ajax calls?
As for the ASP.NET webservice webmethod, the runtime will not do any validation to prevent potential script or other markup tags(in string parameter). If you want to add such kind of validation and protection, you will need to add custom code in your webmethod
or via custom SoapExtension to perform vaidation (via simple string search or regular expression mapping) against the webservice request's content.
Here is how I handle the markup injection in AJAX calls. It probably doesn't cover all the possible cases but I think it's a simple and effective solution for the most part.
var jsUtils = {
makeXssSafe: function (jsonObj) {
jQuery.each(jsonObj, function (i, val) {
jsonObj[i] = jsUtils.clearArrows(val);
});
},
clearArrows: function (text) {
if (text && text.replace)
return text.replace("<", "<").replace(">", ">");
return text;
}
}
I call it after update my JSON object with the form input values, so it iterates in every property of the JSON object and replaces the mark up arrows with their html encoded values. I didn't use the JQuery .html() or javascript escape() because there is
no way to prevent them from encoding the already encoded text like escape(escape('text')) will mess up the things.
Thanks for the followup and sharing with us your solution.
Just one comment. Currently you do the JSON html valiation on the client-side before the AJAX service operation call. This is ok if the service operations will only be called from the web page script code. However, if your service is exposed on internet
web, some one can just get the service endpoint and operation urls from your web page's script code. Then they can directly create some .NET client which uses WebRequest to invoke your service operations. Thus, implementing the validation at server-side will
be more secure in case this is a potential issue.
serkansendur
Member
50 Points
57 Posts
How to enable request validation in .asmx web service?
Apr 20, 2012 05:28 PM|LINK
Hello all,
My ajax call to my .asmx web service succeeds when I send a json object with <script> tag embedded to it. Is there a way of validating the request in such a senario? What is the best way of avoiding XSS in ajax calls?
Thank you,
Serkan
Steven Cheng...
Contributor
4199 Points
548 Posts
Microsoft
Moderator
Re: How to enable request validation in .asmx web service?
Apr 23, 2012 09:26 AM|LINK
Hi Serkan,
As for the ASP.NET webservice webmethod, the runtime will not do any validation to prevent potential script or other markup tags(in string parameter). If you want to add such kind of validation and protection, you will need to add custom code in your webmethod or via custom SoapExtension to perform vaidation (via simple string search or regular expression mapping) against the webservice request's content.
#Extend the ASP.NET WebMethod Framework by Adding XML Schema Validation
http://msdn.microsoft.com/en-us/magazine/cc164115.aspx
Feedback to us
Microsoft One Code Framework
serkansendur
Member
50 Points
57 Posts
Re: How to enable request validation in .asmx web service?
Apr 24, 2012 07:07 PM|LINK
Will do.
Thanks Steven,
Serkan
serkansendur
Member
50 Points
57 Posts
Re: How to enable request validation in .asmx web service?
Apr 25, 2012 07:15 PM|LINK
Here is how I handle the markup injection in AJAX calls. It probably doesn't cover all the possible cases but I think it's a simple and effective solution for the most part.
var jsUtils = { makeXssSafe: function (jsonObj) { jQuery.each(jsonObj, function (i, val) { jsonObj[i] = jsUtils.clearArrows(val); }); }, clearArrows: function (text) { if (text && text.replace) return text.replace("<", "<").replace(">", ">"); return text; } }I call it after update my JSON object with the form input values, so it iterates in every property of the JSON object and replaces the mark up arrows with their html encoded values. I didn't use the JQuery .html() or javascript escape() because there is no way to prevent them from encoding the already encoded text like escape(escape('text')) will mess up the things.
Thank you,
Serkan
Steven Cheng...
Contributor
4199 Points
548 Posts
Microsoft
Moderator
Re: How to enable request validation in .asmx web service?
Apr 26, 2012 03:09 AM|LINK
Hi serkansendur,
Thanks for the followup and sharing with us your solution.
Just one comment. Currently you do the JSON html valiation on the client-side before the AJAX service operation call. This is ok if the service operations will only be called from the web page script code. However, if your service is exposed on internet web, some one can just get the service endpoint and operation urls from your web page's script code. Then they can directly create some .NET client which uses WebRequest to invoke your service operations. Thus, implementing the validation at server-side will be more secure in case this is a potential issue.
Feedback to us
Microsoft One Code Framework
serkansendur
Member
50 Points
57 Posts
Re: How to enable request validation in .asmx web service?
Apr 26, 2012 01:18 PM|LINK
Thanks for your concern Steven.
I have the C# equivalent of that makeXssSafe on the server. So even if they call the service outside of the application, it will still be encoded.
Thank you,
Serkan
serkansendur
Member
50 Points
57 Posts
Re: How to enable request validation in .asmx web service?
May 03, 2012 09:04 PM|LINK
By the way javascript replace, unlike c#, applies the change to the first found item. Here is the correction for that:
return text.replace(new RegExp("<", "g"), "<").replace(new RegExp(">", "g"), ">");
Thank you,
Serkan