1

I was reading about XSS, and I know that ASP.NET doesn't allow saving HTML to database.

So my question is Does using ASP.NET make my web application secure regarding XSS completely, without additional work from me, since attacker can't submit any malicious code?

I know there are other ways malicious attackers can try, but I'm just asking about XSS right now.

Ahmed
  • 121
  • 7
  • 1
    Users will (hopefully) not be submitting requests directly to your SQL Server. There will be intermediary code that can have XSS vulnerabilities. SQL Server simply cannot prevent this possibility. – Scott Johnson Oct 17 '15 at 20:22
  • @ScottJohnson I think I'm missing something. Please let me ask you, if the user couldn't submit his script to database, then it won't affect other users, right? What intermediary code will do if it cannot be save anyway? Also it would be great if you can recommend further readings. – Ahmed Oct 17 '15 at 20:28
  • Let's say you have a web app running on a typical Microsoft stack. Windows server, SQL Server for database, IIS for web server, and using ASP.NET for the app code. The user submits a request to the web server. The web server hands the request off to the ASP.NET code for processing. It's the ASP.NET code that would typically be communicating with the database. – Scott Johnson Oct 17 '15 at 20:34
  • Ahmed - your statement about not affecting other users seems misguided. Perhaps you don't fully understand XSS. In XSS, the user of your website is the victim. The attacker tricks a user into clicking a link to your site that has the user execute unwanted actions. So there is no "other user" in XSS. Just the user/victim and the attacker, who doesn't have to be a user. – Neil Smithline Oct 17 '15 at 20:46
  • 1
    [This](http://www.thegeekstuff.com/2012/02/xss-attack-examples/) has an example of a trivial XSS vulnerability without using a DB. Note that what they call "non-persistent" is more commonly called "reflected". Same meaning, just different vernacular. – Neil Smithline Oct 17 '15 at 20:50
  • Thanks for your time. What I was missing was the **reflected** type and how the attacker would make the user click a malicious link. I found this youtube [link](https://www.youtube.com/watch?v=V79Dp7i4LRM) that explains it well. – Ahmed Oct 17 '15 at 21:31
  • 2
    How do you mean it doesn't allow saving HTML? It does - HTML is simply text. – SilverlightFox Oct 22 '15 at 16:08
  • @SilverlightFox Thanks for pointing to that. Actually it's ASP.NET that prevent submitting `html` to database – Ahmed Oct 24 '15 at 08:35
  • 2
    Ahmed, you completely changed the question, so now the Answer makes no sense. I would ask a separate question because you have already accepted the Answer below. – schroeder Oct 26 '15 at 16:35
  • @schroeder I think the answer is still valid, because ASP.NET/SQL Server doesn't prevent XSS. ASP.NET's _Request Validation_ feature can only help against **Persistent XSS Attack**, and **not** against any other type. And that is actually what the answer states, -just in other words-. Also we can edit _SQL Server_ to _ASP.NET_ in the answer. – Ahmed Oct 26 '15 at 18:15

1 Answers1

7

SQL Server does not prevent XSS. XSS would still be possible via issues in the web application code. Proper use of prepared statements with SQL Server can prevent SQLi, but to prevent XSS, you must validate data received from untrusted sources and encode data before returning it in an HTTP response.

Scott Johnson
  • 231
  • 1
  • 7