Injection Attacks

ASP.NET includes a feature designed to automatically combat script injection attacks, known as request validation. Two ways to disable request validation:

  • Disable for individual page

    <%@ Page ValidateRequest="false" Language="C#" AutoEventWireup="true"
    CodeFile="Default.aspx.cs" Inherits="_Default" %>

  • Disable the entire web application by modifying the web.config

    <configuration>
        <appSettings/>
        <connectionStrings/>
        <system.web>
          <pages validateRequest="false"/>
        </system.web>
    </configuration>

To prevent these script injection attacks, use Server.HtmlEncode:

Response.Write("Entered Input is:" + Server.HtmlEncode(txtInput.Text));

HtmlEncode replaces characters that have special meaning in HTML-to-HTML variables that represent those characters. For example, < is replaced with < and ” is replaced with “. Encoded data does not cause the browser to execute code. Instead, the data is rendered as harmless HTML.

By Bryan Xu

Posted in Security

Leave a Reply