Preventing JavaScript Injections
https://stackoverflow.com/questions/651819
-
19-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
What's the best way to prevent javascript injections in a VB.NET Web Application? Is there some way of disabling javascript on the pageload event?
Recently, part of the security plan for our vb.net product was to simply disable buttons on the page that weren't available to the specific user. However, I informed the guy who thought of the idea that typing
javascript:alert(document.getElementById("Button1").disabled="")
in the address bar would re-enable the button. I'm sure that someone else has ran into issues like this before, so any help is appreciated. Thanks!
Update: Aside from validating user input, how can I protect the website from being toyed with from the address bar?
Solution
Any changes you make to the client-side behavior of your application are superficial and not secure at all. You should not rely upon these. They are nice to stop 99% of users, but it is trivially easy to bypass them. You should be checking whether a user has the right privileges for the action on the server side when the action is called, so that if someone did decide to re-enable the button themselves they would not be able to do whatever the button is meant to do. You have no control over what someone can do to the page with javascript, so you should never trust anything coming from the client.
Response to update: You can't in any practical way, which is exactly what the problem is. Once the website is in their browser, it's a free-for-all and they can have a go at it. Which is why your program should validate everything server side, every time.
OTHER TIPS
The most important item to consider is html encoding the user input. If the user enters <script> it'll get converted to <script> etc.
Update: If expecting input from the url / querystring, validate the data with extreme measures. If possible white list the data received. When white listed, you're ensuring only what you deem correct and safe is a viable submission.
Never trust the users' input.
Always validate user input.
Never trust data from the clients. Always validate data and permissions on the server side, where you are in control. Remember that the user (or any other application) can send to you whatever data they want to.
It doesn't matter what you do to lock down the interface via javascript, your data can always be manipulated somehow. There are various tools, such as fiddler which can be used to modify, or recreate postbacks/requests.
Even if you find a way to lock things down, you're in an arms race if your data is important enough to the attacker. The most viable option is to validate your input server side.
