Last post Jul 19, 2019 06:19 AM by bsurendiran
Jul 19, 2019 06:19 AM|bsurendiran|LINK
We have an asp.net application with lots of .aspx forms and it was built using .net framework 4.0
We have a form where user can enter text in the textbox and we are validating the textbox with validation controls ...the value user enters will be save in the sql server on button click. And it will be feteched and displayed in the screen. So far good.
Lets say user enters welcome in the textbox but in the fiddler we are appending script payload like
Before saving it into textbox we are encoding the above and saving it into database..while displaying we are decoding it and show it in the UI
and in the UI it shows "welcome<script>alert(xss)</script> and it is not showing any alert since we are doing encoding and decoding.
But we dont want to show the injected value..
How to prevent that...
1) Is it possible to invalid the request if it is modified by the fiddler ..If yes how can we check whether the request payload is modified or not
2)We want to redirect it to error page if the script payload is injected with actual payload because we dont want to save that in database.
3)Is it possible to validate whether injected happened or not in the code behind