Several common web attacks exploit coding flaws of applications. SQL injection, for example, takes place when nefarious input text is attached to a SQL statement and forms a syntactically correct command that exceeds (negatively) the programmers expectation, so to speak! If the input text is not constrained and verified, attackers can inject ad hoc text into the statement and completely change the behavior of it. In the end, an innocuous SELECT can become a batch in which a DROP TABLE follows the query.
Another common attack is cross-site scripting, also known as XSS. Cross-site scripting originates from the same bad programming practice as SQL injection-unverified input text. An XSS attack is conducted by injecting malicious script code in the body of a web page. Whenever the browser finds a <script> block, it executes the statements. If the script is placed there by the attacker you have no control over its behavior. Nothing, therefore, prevents the attacker from collecting and uploading all client cookies to an external web site.
There's a simple way to prevent XSS at its root-using encoded text. A common bad practice is using the value of the TextBox's Text property to compose a portion of the page. As a result, if the Text property contains malicious script code, that code executes automatically as the page display. Here is a simple workaround:
string text = HttpUtility.HtmlEncode(TextBox1.Text); Response.Write(text);
The HtmlEncode method encodes a string for transmission by HTTP. It replaces HTTP unfriendly characters with an ad hoc representation. Angle brackets that wrap HTML tags are in the list. The less-than symbol is replaced with the < macro, whereas the greater-than symbol is changed to >. Encoded this way, any text is displayed as is by any browser and doesn't cause you any further harm.
With 14+ years of development behind me, I think I can say that the average developer is a bit lazy at times. So even a simple task like preprocessing TextBox1.Text with an HTML-encoding method can be a sort of mission-impossible. Thanks to the full OOP support you find in the .NET Framework (specifically, inheritance), you can elegantly solve the issue once forever and make your whole personal framework of components inherently more secure. Do not use the classic, standard TextBox control; instead use this one:
namespace Samples.MyControls { public class TextBox : System.Web.UI.WebControls.TextBox public TextBox() { AutoEncode = true; } public bool AutoEncode { get {return Convert.ToBoolean(ViewState["AutoEncode"]);} set {ViewState["AutoEncode"] = value; } } public override string Text { get { if (AutoEncode) return HttpUtility.HtmlEncode(base.Text); else return base.Text; } set {base.Text = value;} } } }
It is a custom TextBox control that inherits from the base class. It adds a new Boolean property-AutoEncode-and overrides the base Text property. When AutoEncode is set to True (the default setting), the get accessor of the Text property silently and automatically encodes the return value. By simply replacing this control to any sensitive instance of the TextBox control you may have, you inherently gain more security by fending off-by design-any possible XSS attack. The principle of inheritance guarantee is that, in doing so, you don't lose any existing functionality related to the TextBox.
Dino Esposito is Wintellect's ADO.NET and XML expert, and a trainer and consultant
based in Rome, Italy. Dino is a contributing editor to Windows Developer
Network and MSDN Magazine, and the author of several books for Microsoft
Press including Building Web Solutions with ASP.NET and ADO.NET
and Applied XML Programming for .NET. Contact Dino at [email protected].