how to handle cross side scripting (XSS) with umbraco website
Hi
I have developedd one website usingg Umbraco 7.1.6 and uWebshop 2.5.1.0.
I have passed website for Pen testing and website testing is faied on Cross side scripting. They have told to handle cross side scripting to make website safe from attacker.
I don't know how to do it with Umbraco website. In website most of the User inputs are validated through client side javascript. I have also added constraint for numeric fields like user can enter only digits, for text fields i have added constraint to enter characters only it will not allow to enter any special characters. Yet it fails on Cross side scripting.
So can anyone please guide me here how to implement it on website ? Do we any settings in Umbraco CMS or in web.config / machin.config which help me ?
I'm just wondering where the vulnerability has been found since the validaterequest function should be build into the framework and work out of the box with Umbraco unless one deactivates it manually - You can read more about the function here https://msdn.microsoft.com/en-us/library/ms972969.aspx#securitybarriers_topic6
It may be a good idea to have a look at the Microsoft Web Protection library as well though http://wpl.codeplex.com/ - But I think that usually XSS is handled out of the box when using the .NET framework.
So do you know, which parts of the website that was exposed for XSS specifically? Could it be some custom code somewhere or?
how to handle cross side scripting (XSS) with umbraco website
Hi
I have developedd one website usingg Umbraco 7.1.6 and uWebshop 2.5.1.0.
I have passed website for Pen testing and website testing is faied on Cross side scripting. They have told to handle cross side scripting to make website safe from attacker.
I don't know how to do it with Umbraco website. In website most of the User inputs are validated through client side javascript. I have also added constraint for numeric fields like user can enter only digits, for text fields i have added constraint to enter characters only it will not allow to enter any special characters. Yet it fails on Cross side scripting.
So can anyone please guide me here how to implement it on website ? Do we any settings in Umbraco CMS or in web.config / machin.config which help me ?
It's really urgent.
Thanks in advance !
Rohan Dave
Hi Rohan
Perhaps this cheatsheet from owasp can help a bit https://www.owasp.org/index.php/XSS(CrossSiteScripting)PreventionCheatSheet
I'm just wondering where the vulnerability has been found since the validaterequest function should be build into the framework and work out of the box with Umbraco unless one deactivates it manually - You can read more about the function here https://msdn.microsoft.com/en-us/library/ms972969.aspx#securitybarriers_topic6
It may be a good idea to have a look at the Microsoft Web Protection library as well though http://wpl.codeplex.com/ - But I think that usually XSS is handled out of the box when using the .NET framework.
So do you know, which parts of the website that was exposed for XSS specifically? Could it be some custom code somewhere or?
/Jan
is working on a reply...