Script Injection Attacks

Script injection is security vulnerability, a serioussecurity threat that enables an attacker to inject malicious code in the userinterface elements of your Web form of data-driven Web sites.

Wikipedia states, HTML/Script injection is a popularsubject, commonly termed Cross-Site Scripting , or XSS . XSS refers to aninjection flaw whereby user input to a web script or something along such linesis placed into the output HTML, without being checked for HTML code orscripting.  

Common Tags Prone to Script Injections

The following are some of the most common HTML tags that may be prone to scriptinjection attacks:

Simulating Script Injection AttacksIn this section we ll write a sample application that demonstrates how scriptinjection takes place.Follow these steps:
1. Create a new Web site and save it with a name
2. Switch to the design view mode of the Default.aspx file
3. Drag and drop a label, a textbox, and a button control onto the Web form(here s how the mark-up code of your .aspx file will look):            Text="Enter your name: ">           4. Next, set the Default.aspx Web form as the start pageof the applicationNow type the following in the textbox and click thebutton control:window.onload = func(); function func() { alert('Hi'); }Preventing Script Injection AttacksHere are some techniques  you can adopt to avoid script injection attacks inyour applications:1. You can disable request validation in your Web page:<%@ Page ValidateRequest="false" Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>If ValidateRequest is turned off for the Web page, youcan type in the same script as we did earlier and click the button control andsee that there aren t any errors being displayed.Note that you can also disable request validation at theapplication level by turning off ValidateRequest in the pages element of yourapplication s configuration file:                      2. Using Server.HTMLEncode() to encode the user s input    String strName = Server.HtmlEncode(TextBox1.Text);  Response.Write("Name: "+strName);3. Rejecting certain special characters like, "<", ">","*", "%", "!", "@", etc.
4. Ensuring the correct data is entered in the Web form user interface elementsbefore the form is submitted. Also, you should restrict the user s input to acertain type and number of characters. As an example, if you are accepting aname from a user, it should only contain alphabets, spaces, and dots. You shouldnot allow the user to type in other characters and then submit the input.Another common form of injection attack is SQL Injection.To learn more about SQL Injection attacks, refer to my article athttp://www.aspnetpro.com/newsletterarticle/2006/12/asp200612jk_l/asp200612jk_l.asp.ConclusionScript injection attacks are a major concern to the Web development communitythese days. In this article we ve had a look at what script injection attacksare and why they happen, and we also simulated script injection in a sampleapplication. Lastly, we discussed some of the best practices to prevent scriptinjection attacks in our applications. Happy reading!Joydip Kanjilal is a Microsoft MVP in ASP.NET. He hasmore than 12 years of industry experience in IT with more than six years inMicrosoft .NET and its related technologies. He is the author ofASP.NET Data Presentation Controls Essentials(Packt Publishing) and SAMS Teach YourselfASP.NET Ajax in 24 Hours, and has authored articles for some of the mostreputable sites, includinghttp://www.asptoday.com,http://www.devx.com,http://www.aspalliance.com,http://www.aspnetpro.com,http://www.sql-server-performance.com, andhttp://www.sswug.com. Many of these articles have been selected athttp://www.asp.net, Microsoft s official site for ASP.NET. Joydip was also acommunity credit winner athttp://www.community-credit.com a number of times. He is currently workingas a Lead Architect in a reputable company in Hyderabad, India. He has years ofexperience in designing and architecting solutions for various domains. Histechnical strengths include, C, C++, VC++, Java, C#, Microsoft .NET, AJAX,Design Patterns, SQL Server, Operating Systems, and Computer Architecture.Joydip blogs athttp://aspadvice.com/blogs/joydip and spends most of his time reading booksand blogs, and writing books and articles. His hobbies include watching cricketand soccer and playing chess.