Input Vectors
===========
- Form inputs
- Blog post Comments
- Query string parameters values of a direct URL
- HTTP parameters
- POST data
- Hidden form fields values
- Predefined radio or selection values
Countermeasure Plan
==================
At Application Layer
=================
* There are several mechanisms available to developers for sanitization, such as returning an error, removing, encoding, or replacing invalid input.
* X-XSS-Protection -- This technic is outdated and not supported by most of the modern browsers.
* Follow Whitelist approach.
* Use the Content Security Policy HTTP Response Header.
* Content-Security-Policy: script-src 'self'; style-src 'self'
* Output HTML Encoding
* Set HTTPOnly flag 'True' for Cookie
At Server Layer (defense in-depth strategy)
===================================
* Apply the Request Validation in ASP.Net framework - It automatically validates all incoming HTTP request.
* Use the ValidateInput attribute on an ASP.NET controller or action and passing it the value “false”: to allow valid markup.
* Set Content-Type header-JavaScript scripts files (text/JavaScript), HTML (text/html) or a PNG image (image/png), so that browser can know how to process it. if the correct content-type is not specified, browsers will undergo what is called content or character set sniffing in order to determine what the content-type is for a resource.
* Escaping - Output Encoding ( is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter’s parser. Escaping simply lets the interpreter know that the data is not intended to be executed,
* Output Encoding lets the browser know that we want the information it is receiving to be rendered as data and not instructions.
* Use @Razor templates in .NET MVC framework to output encode.
Continued...Part 2
0 Comments