Last post Aug 21, 2014 10:54 PM by Summer - MSFT
Aug 21, 2014 04:01 AM|santosh0288|LINK
I am working on solving security issues related to reflective xss and i needed a solution to protect my application from getting attached by reflective xss.
Any one has the MSI file or DLL OF SECURITY RUNTIME ENGINE. I think this may help me to solve my issue.
Please let me know if any one can help me with the dll or any other solution which can help me to protect my application from reflective xss.
Santosh Kumar Dash
Aug 21, 2014 06:42 AM|AidyF|LINK
Security has to be thought about while you are developing your application in everything you do. If you write a website without thinking about security, then want to go back and "make it secure" then you're going to have a long and tough job. There is
no magic setting or library or anything that will make your site secure, otherwise the net would be a lot safer than it is. You have to first understand the vulnerability you're protecting against, then for
every single page, and every place you display output you have to work out if that bit of code is vulnerable, and if it is then fix it. For xss it is normally fixed by using Server.HtmlCode(dataToWrite) rather than just writing
the data out. If you're using razor then this task is easier as it encodes by default.
Aug 21, 2014 07:11 AM|santosh0288|LINK
Thanks for the reply.
I am not having issues with stored XSS that part is good. As you mentioned we are already using server.htmlencode as well as server.urlencode where ever it is necessary.
Where i am having the problem is when a url is sent from a web browser to server (for example :http://localhost:56683/Default.aspx) in between by using a proxy server (burp suite) we interupt the request
and change the URL(for example:
remove accept encodding header then it will go and hit the server and send us the response as well as it is running the script injected into the url by the proxy server.
Since the url content is changed it is redirecting to error page but it is not preventing the java script which is injected into the url from getting executed.
I want to prevent any java script injected into the url before getting executed.
Aug 21, 2014 10:54 PM|Summer - MSFT|LINK
According to your description, I know you want to protect your application from reflective xss.
As far as I know, if you want to prevent the cross-site scripting, please refer to steps below:
Step 1. Check that ASP.NET request validation is enabled.
Step 2. Review ASP.NET code that generates HTML output.
Step 3. Determine whether HTML output includes input parameters.
Step 4. Review potentially dangerous HTML tags and attributes.
Step 5. Evaluate countermeasures.
Something about the MSI file :
More information about the XSS, please refer to the links below:
if you have any other questions, please feel free to post in this fourm.