Prevent XSS attacks

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Prevent XSS attacks

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: csharp-security/xss-protection

Language: C#

Severity: Error

Category: Security

CWE: 79

Description

This rule is designed to prevent Cross-Site Scripting (XSS) attacks, which occur when an application includes untrusted data in a new web page without proper validation or escaping. XSS attacks allow attackers to execute scripts in the victim’s browser, which can lead to a variety of malicious outcomes such as stealing sensitive data or performing actions on behalf of the user.

The importance of this rule lies in the potential for significant security breaches. XSS attacks can lead to unauthorized access, data theft, and other serious consequences. Therefore, it is crucial to ensure that your C# code is not susceptible to such vulnerabilities.

Good coding practices to avoid XSS attacks include always encoding user input before including it in HTML content, using functions like HtmlEncoder.Default.Encode or HttpUtility.HtmlEncode. Avoid using methods that might introduce vulnerabilities, such as Html.Raw or direct Response.Write with user input. Even when the input comes from a seemingly trusted source, it’s still a good idea to encode it, as it might contain dangerous payloads that were injected earlier.

Non-Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using System.Web;

namespace VulnerableApp
{
    public class VulnerableController : Controller
    {
        [HttpGet("/profile")]
        public IActionResult ShowProfile(string username)
        {
            // Non-compliant: Unencoded user input in Content
            return Content("<div>Hello, " + username + "</div>", "text/html");
        }
        
        [HttpGet("/comment")]
        public IActionResult ShowComment(string comment)
        {
            // Non-compliant: Html.Raw with user input
            ViewBag.UserComment = Html.Raw(comment);
            return View();
        }
        
        [HttpGet("/search")]
        public IActionResult Search(string query)
        {
            // Non-compliant: Direct Response.Write with user input
            Response.ContentType = "text/html";
            Response.Write("<h2>Search results for: " + query + "</h2>");
            
            return new EmptyResult();
        }
    }
}

Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using System.Web;
using System.Text.Encodings.Web;

namespace SecureApp
{
    public class SecureController : Controller
    {
        [HttpGet("/user-profile")]
        public IActionResult ShowUserProfile(string username)
        {
            // Compliant: Using HTML encoding
            return Content("<div>Hello, " + HtmlEncoder.Default.Encode(username) + "</div>", "text/html");
            
            // Also compliant: Using HttpUtility
            // return Content("<div>Hello, " + HttpUtility.HtmlEncode(username) + "</div>", "text/html");
        }
        
        [HttpGet("/welcome")]
        public IActionResult Welcome(string name)
        {
            // Compliant: Static string without user input
            return Content("<h1>Welcome to our site!</h1>", "text/html");
        }
        
        [HttpGet("/product")]
        public IActionResult ShowProduct(int id)
        {
            string productName = GetProductName(id); // From database, not user input
            
            // Compliant: Values from trusted sources
            ViewBag.ProductName = productName;
            return View();
        }
    }
}