SecureASP.NET
LANGUAGES: ALL
ASP.NET VERSIONS: 2.0
Better HTML and URL Encoding Functions
Defend Against Cross-site Scripting Attacks
By Don Kiely
The HtmlEncode and UrlEncode methods of theHttpServerUtility class in the System.Web namespace have long provided a firstline of defense against cross-site scripting attacks. These are the kinds ofattacks where someone puts scripting code into an input box on a Web page thatincludes script. A simple example is to enter this literal text into a text boxthat prompts for a person?s first name:
<script>alert("Ha ha! We've attacked your site!")</script>
When you redirect to another page and display what youthought was the person?s first name, an alert box pops up with nefarious text.This is a simple and trivial example of cross-site scripting. If you create Webpages, you should be well aware of this kind of attack and know how to protectagainst it. Google ?cross-site scripting? for lots of good information.
The HtmlEncode and UrlEncode methods provide protection byconverting known bad characters in a string of text to either the ?&#DECIMAL;?or single and double byte notations, respectively. Encoding the characters thisway keeps the browser from interpreting it as script. When you pass the <script>code above through these methods, you get these results:
HtmlEncode
<script>alert("Ha ha! We've attacked yoursite!")</script>
UrlEncode
%3cscript%3ealert(%e2%80%9cHa+ha!+We%e2%80%99ve+attacked+your+site!%e2%80%9d)%3c%2fscript%3e
These methods take a ?known bad? approach to protectingagainst attacks. The idea is that there are certain characters that are knownto be a problem in these kinds of attacks, notably these characters: <, >,&, ?, and characters with ASCII values of 160-255, inclusive. As long asyou encode those characters, you should be safe ? or so goes the concept.
The key word in the previous sentence is should. You should be safe ? as long as an attacker doesn?t come up with a wayto attack your Web site using other characters. Unfortunately, that?s exactly whathas been happening lately, making the .NET encoding methods less useful. SoMicrosoft has shifted away from a ?known bad? strategy to a ?known good?strategy, with its new Anti-CrossSite Scripting Library. The idea is that youshouldn?t eliminate only the characters that you know are bad, because thatlist changes all the time. Instead, leave alone only the characters that youknow are okay.
So the functions in the library encode all charactersother than the following, providing the same HtmlEncode and UrlEncode methodsas in the .NET Framework:
- a to z
- A to Z
- 0 to 9
- , (Comma)
- . (Period)
- - (Dash)
- _ (Underscore)
- Space (only in the UrlEncode function)
When you run the <script> code above through thesenew methods, here is what you get:
HtmlEncode
<script>alert(“Ha ha!We’ve attacked yoursite!”)</script>
UrlEncode
%3cscript%3ealert%28%u201cHa%20ha%21%20We%u2019ve%20attacked%20your%20site%21%u201d%29%3c%2fscript%3e
As you can see, far less of the original text remains inits character format, meaning that less of the text could be consideredexecutable by the browser. This isn?t exactly a monumental change, and the codein the library is quite simple. However, it results in far less of anopportunity for cross-site scripting attacks to succeed.
One difference in the AntiXSSLibrary versions of theHtmlEncode and UrlEncode functions is that they each only have a singleoverload. The .NET Framework versions have an overloaded form to take both astring and TextWriter object. This overload returns the resulting output to thespecified output stream. While you can easily code around this to use theAntiXSSLibrary versions, it could break some code ? so be careful if you usethe new functions in existing applications.
This initial release contains the binaries for versions1.x and 2.0 of the .NET Framework. You can download the library here (http://www.microsoft.com/downloads/details.aspx?FamilyID=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en).
Don Kiely, MVP,MCSD, is a senior technology consultant, building custom applications as wellas providing business and technology consulting services. His development workinvolves tools such as SQL Server, Visual Basic, C#, ASP.NET, and MicrosoftOffice. He writes regularly for several trade journals, and trains developersin database and .NET technologies. You can reach Don at mailto:donkiely@computer.org and readhis blog at http://www.sqljunkies.com/weblog/donkiely/.