ASP.NET MVC - Security mini series: XSS

Over the next few weeks I'll be sharing mini blogs covering how to keep your site secure against a number of different vulnerabilities.

Today I'll be diving into XSS (cross site scripting) vulnerabilities.

Am I affected?

In ASP.NET MVC, by default, you won't need to be concerned about XSS vulnerabilities unless you're explicitly allowing HTML to be submitted (for instance to allow rich text on comment fields), in which case you have to take precautions and sanitize received data to ensure that there's not any scripts being injected into your web application.

If you're not explicitly allowing HTML to be posted in your models, and you do not have ValidateInput set to false, then you wont be affected and wont have any precautions to worry about.

So, if you are allowing HTML, read on...

The wrong way to sanitize data

A pitfall I witness often is the use of Regex in the fight against XSS attacks to clean user submitted data, however, this isn't a solution, not only is it cumbersome, but you're more than likely to overlook an edge case which can spell game over pretty quickly.

The right way to sanitize data

There's a far easier method, you can instead, use HTML Sanitizer which, under the hood uses a HTML parser to parse, and manipulate the data it receives. Or in their own words...

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. It uses AngleSharp to parse, manipulate, and render HTML and CSS.
Because HtmlSanitizer is based on a robust HTML parser it can also shield you from deliberate or accidental "tag poisoning" where invalid HTML in one fragment can corrupt the whole document leading to broken layout or style.

Install HTML Sanitizer

Lets get started. Using the NuGet, you can install the package with

pm> Install-Package HtmlSanitizer 

Example

And here's a sample demonstrating it sanitizing a string that contains malicious content. You can see the library stripping away the script tags, onload attributes and even the background-image css property that was embedded into the style attributes, whilst leaving the other properties intact.

 HtmlSanitizer sanitizer = new HtmlSanitizer();
 string html = "<script>alert('xss')</script><div onload=\"alert('xss')\""
             + "style=\"background-color: test\">Test<img src=\"http://www.example.com/test.gif\""
             + "style=\"background-image: url(javascript:alert('xss')); "
             + "margin: 10px\"></div>";

 string sanitized = sanitizer.Sanitize(html, "http://www.example.com");
 Console.WriteLine(sanitized);	

Output

<div style="background-color: test">Test<img src="http://www.example.com/test.gif" style="margin: 10px"></div>

You can configure the allowed HTML tags, attributes, css properties, uri schemes and more.

Closing thoughts

Ultimately, the best security is not allowing any HTML to be submitted in the first place, however, if you're going to enable it, make sure you're sanitizing those submissions.