13.11. ASP.NET MVC and Security

In any web application, it is important not to trust user input and to limit as much as possible the areas the attacker can exploit. Validation and strong typing can assist with this. One of the biggest dangers facing any web application is cross-site scripting (XSS).

XSS )occurs when an application allows a user to submit code that is then rendered unencoded on a page. Malicious users can submit JavaScript code to an application that will then be run when a page is loaded. Imagine if a user were to post JavaScript code on a forum that would then be run by all users viewing the page. At best, this could be annoying, but the bad code could also be performing tasks such as stealing other users' session identifiers that would allow an attacker to log in to the application. (For more information, please refer to www.owasp.org/index.php/XSS.)

In a traditional ASP.NET application, entering a script such as the following and submitting it would cause ASP.NET to throw an exception because the ASP.NET engine has detected potentially dangerous input:

<script>alert('XSS waiting to happen'),</script>

ASP.NET MVC will not throw an exception, so be sure any output is encoded when rendered in the browser using the Server.HtmlEncode() method (you should be doing this in ASP.NET anyway because the detection is pretty poor):

<%= Server.HtmlEncode(strMyValue) %>

You could also use the new HTML encode )syntax (see Chapter 10 for more details):

<%: strMyValue %>

Look into the Microsoft Anti XSS library at www.codeplex.com/AntiXSS.

Another problem that can occur with web applications is cross-site request forgery (CSRF). CSRF attacks occur by a user being authenticated to a particular site and then activating code that is constructed to perform a request on the logged-in site. For example, I could be logged into my bank account and open an e-mail that has an embedded image with a URL such as www.bank.com?withdraw=10000&to=badPerson. Because I am logged in to the site, this action would then be performed. MVC contains support for preventing these attacks by generating a secure token. For more information on this, please refer to http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/.