This is not actually an IIS related article, but more a common website security related thing, but I found the topic interesting and thought I might share it anyway.
Today I just stumbled over an article about website security in relation to Cross Site Scripting (XSS).
The author claims that there will be a boost in Cross Site Scripting attacks against websites over the summer when administrators are relaxing by the pool someplace hot.
The article also mentioned an application which can scan a website to determine if it is securely locked down and not exploitable to XSS attacks.
I’m not running my own web server, but I have a couple of sites with dynamically generated pages and I thought I might try this little tool to see how bad things were going on, on this site.
The XSS scanner, by the way, is called ‘Acunetix Web Vulnerability Scanner’ and it can be downloaded here http://www.acunetix.com/cross-site-scripting/scanner.htm.
If you are unsure about XSS attacks and what impact they can have on the visitors on a website, please visit http://www.cgisecurity.com/xss-faq.html and http://ha.ckers.org/xss.html for info about XSS attacks and how to perform them and their impact respectively.
Result of XSS scan with the default website configuration
The first scan I did against this website revealed a security hole in – Well, you propably guessed it, this page. The article.aspx page takes a querystring parameter from the querystring key called BlogEntry.
The default website serverside code made a check to see whether this key actually contains any value, and if it did a call to the database was made to fetch the article matching the value from the BlogEntry key. No actual validation on the data occurred before sending the data to the database.
According to the scanner this is a XSS security hole, as malicious code can actually be injected directly into the database using this querystring key.
The result of the first scan can be seen in the first two pictures below.
Trying to close the XXS security hole
I’m not that much into the many possibilities with XSS/Cross Site Scripting and there may be many other ways to compromise my website, but anyhow, I have now taken the first step to secure my site against XSS attacks.
What I did was to make a little additional check on the data from the querystring key before parsing the data to the database, like:
// Check characters in the querystring key – Prevent XSS (Cross Site Scripting)
if (!Regex.IsMatch(Request.QueryString[“BlogEntry”], @”[a-zA-Z0-9]+$”))
// Throw an exception and stop the execution of the rest of the page if anything else than a-z og 0-9 is typed in the BlogEntry variable.
throw new Exception(“Querystring contains non supported charakters…”);
I do the check using regular expressions on the querystring variable. I build this blog myself and know exactly which characters I want to use for my headings so this was not actually a problem to decide. It will be more complex if you allow more characters in your querystring variables across your own site.
The expression evaluates the data from the querysting key and if the string contains any other characters than a-z and 0-9, the code will throw an exception and the there will be no call to the database.
The page will simply indicate an error rather than parsing the data to the database engine to avoid the injection/execution of malicious code.
After running the scan again, I get the output on the two pictures below.
The scan result pictures do now show that the XXS hole is closed and only displays one non-critical error related to terminal services on the web server.
Of course there may be many other ways for a good and persistent hacker to find a hole on my website, but I believe that the scan and the additional check in my code may prevent some of the most obvious XSS attacks against my website.
Article by – Thomas Nexa (mail)
you can send your articles to firstname.lastname@example.org