you.gotfoo.org

This HOWTO was a specific requirement of my job so I can't go into to great detail nor-can I give you all of the source code. What I am going to cover is building an XSS filter to use in your ASP.NET app.

One of the biggest problems facing every single person that uses the internet is Cross Site Scripting (XSS) exploits. XSS come from our Love/Hate relationship with JavaScript. On one hand through JavaScript we can implement quick interaction with users of our web apps through dialog boxes alerts. JavaScript also gives us cool image effects, client-side form validation and now the holy grail of Ajax.

But the hate of JavaScript is its weak security and its ability to access the machine the browser is running on. If a developer is not careful that could expose their users to a whole world of hurt.

The most popular exploit is Phishing Scams where a person will get an email from Pay Pal for instance and it's telling them they need to change their password. The email looks legit the link says https://secure.paypal.com?etc so the user clicks the link and they go to a site that looks just like Pay Pal, the url says Pay Pal and there's a little lock icon in the corner of their browser. So the user enters their info and they get a confirmation that there account has been updated and then they go on with their day. What the user doesn't know is that they have been scammed by an XSS using a URL mask and some remote JavaScript. So now some hacker is using the info to log into the Pay Pal account and clean it out.

Trying to stop every kind of XSS can be and is a full-time job. It's like trying to stop the rain from falling on your lawn. Sure you can get a huge tent to cover the whole lawn but then the wind will start blowing it in side-ways.

One of the most important things you can do is validate and scrutinize every price of information a user enters into you web app. Everything.
The list of things you need to do secure app is nearly endless. I am not going to go into detail on what to do because if you've gotten this far then you certainly know how to use google.

The XSS Filter
Like I said before I cannot give you all of the source code but I can give some.

Build this filter requires very good knowledge of RegEx for instance take the following line of code:

It looks like a bunch of crap but what it is doing is creating a RegEx that will look for a string like:

Or any combination of the word 'javascript' and or the word and special charters. The reason the variable looks so mangled is the need to escape charters in C#. For some reason using the '@' symbol like this:

causes a RegEx Exception.

Now that you've got a RegEx defined that you need to use it in a RegEx function:

This function has 2 parameters: 1) the string that needs to be checked for exploits and 2) the string you want to replace the charters with.

Then you need to invoke the NoJavaScript function like this:

When you use the NoJavaScript function it wall inspect the text in 'txtTextBox' and find any 'javascript' XSS's and replace each instance with '&#'.

The real work in all of this is creating the RegEx to filter out the XSS. If you know what you are doing you will build your self a class that has a private function Then you'll create a public function that takes a string to be filtered, an enum of filter types and the replacement string which has a switch statement that get the RegEx filter using the enum value. Once you've got the RegEx filter pass it to another function takes a string to be filtered, the RegEx filter and the replacement string.

One for the Road
This last RegEx filter will find tags in the text:

Links: