Clarity, Technology, and Solving Problems | PracticeThis.com
WP7 App with Key Windows Azure resources – Slides, Videos, How-To’s, and T-shooting – for quick consumption on the go.
Want to quickly check your ASP.NET Web application for Cross Site Scripting (XSS) vulnerability?
It is pretty easy with the knowledge and tools you already have. This post describes how to quickly find and fix most of XSS vulnerabilities in your code.
XSS vulnerabilities are possible when un-sanitized data printed out on the page. From what I witness when I do security code inspections most cases can be summarized to two most common:
<%#DataBinder.Eval(Container.DataItem, "TEXT") %>
Label1.Text = TextBox1.Text;
Above patterns are easily identifiable using any strings search utility. I use Visual Studio 2005 As General Code Search Tool to find such vulnerabilities. When Visual Studio is not an option, just use FindStr, here is an example - Code Inspection - First Look For What To Look For.
Run your search for ".Eval(" and then for ".Text =". You might want to modify slightly it as some folks omit space before "=" or other minor changes.
Use searches similar to these:
Ran your search yet? What do you see? Scared?
The fix is pretty simple - just apply Html Encoding to both cases. The best is using freely available Microsoft Anti-Cross Site Scripting Library V1.5. Note that ASP.NET’s Server.HtmlEncode is not the safest one as it only encodes <,>,",& characters which is not sufficient to protect against all possible attacks.
Yesterday I gave a talk about the subject during Performance Open House
First off, thanks for attending my talk. The materials are published here.
Building ASP.NET web applications? Plan to serve thousands of users? Would you like to see how your application would behave [misbehave] under stress?
Use simple-to-use and freely available WCAT tool to generate the load and get detailed report for expected throughput (requests/sec) and other important performance-wise information.
Next section describes each step in details. Note, this post is a how-to, a jump start - not the guidelines or best practices of how to use the tool.
Download and install Internet Information Services (IIS) 6.0 Resource Kit Tools. For the purpose of our exercise there is no need to install all the tools included with the resources kit, only WCAT.
There are three textual files one needs to create and configure (you can give any name and extension of your choice):
NEW TRANSACTION classId = 1 NEW REQUEST HTTP Verb = "GET" URL = "http://localhost/BankingShmanking/Default.aspx"
Warmuptime 5s Duration 30s CooldownTime 5s NumClientMachines 1 NumClientThreads 20
Save the files in "C:\Program Files\IIS Resources\WCAT Controller" folder.
To run the stress test open command prompt by opening Run window(Windows + R) type cmd and hit Enter. Change current directory to "C:\Program Files\IIS Resources\WCAT Controller>" and run the following command to test the page hosted on the localhost:
wcctl -c config.txt -d distribution.txt -s script.txt -a localhost
then open second command prompt, change current folder to "C:\Program Files\IIS Resources\WCAT Client" and run the following command to actually launch the virtual client's requests from local machine:
The results are displayed interactively in the command line windows
The tool also generates log file that includes logged metrics - look for it in "C:\Program Files\IIS Resources\WCAT Controller" folder.
WCAT tool is actively developed by IIS team and recently they released new version of the tool - WCAT 6.3, download it from here, free.