How to avoid XSS attacks with GET requests, and automate offending IP addresses to IP deny list in IIS?

Question

I noticed some XSS attempts on some of our sites due to some old URL's raising the errors. ie. http://www.mysite.com/[some old keyword]/searchterm .

These sites are MVC3 sites, and from my understanding of using the anti-forgery token - this is only good for POST requests.

I don't think I want to limit all requests to the URL's, as some could be valid requests (ie. GoogleCrawler).

What are some ways to avoid/deter XSS attacks in this scenario?

Once I have the offending IP addresses, is there a way to use APPCMD to add IP addresses to the DENY list in IIS, similar to a solution using APPCMD to add new websites to IIS based on a list?

I'm asking because I'm noticing several IP addresses attempting cross-site scripting attacks on several of our sites. I would like to create a list of these (and possibly read a list from somewhere like http://www.ipfraudreporter.com) and load these up onto our server.

Answer 1

Blocking XSS is an output encoding problem, rather than an input problem in most cases. If you for instance only allow alfanumeric characters, you may be able to stop it using very strict whitelist based input validation, but in most cases it's about encoding output correctly for a given context. See the Abriged OWASP XSS prevention cheat sheet.

Regarding banning ips it sounds, Im not sure whats possible in you environment. Could be adding them to a firewall or an IPs, or writing an HttpModule that blocks incoming requests for the list of banned ips.