Using a Generic Method to Encode String Properties In Order To Avoid Cross Site Scripting Attacks

Cross Site Scripting Attacks (XSS Attacks) are a real problem, don’t make the mistake of thinking they aren’t in widespread use or that you are not vulnerable. During the development of your project you need to explicitly take steps  to avoid exposing your sites visitors to this serious issue. You can use the Microsoft Web Protection Library to reduce the risk of XSS attacks, get it here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651

Recently I developed a simple generic method that I can pass objects to which will loop over the properties and automatically HTML encode any that are strings. This is useful when you use ORM systems such as Linq2Sql or ADO.NET Entity Framework, which generate an object model of your database which often include properties of type String.

Here is how to call the method:

 

Here is the code:

 

Widely available, simple to use, hacker tools make it easy for you to become a victim, no effort required

Got BeEF? If you have no idea what I’m talking about, or think it’s a Wendy’s commercial, you are in for a big surprise. Go to http://www.bindshell.net/tools/beef/ and you will forever be changed.  Here is the description of what BeEF is, directly from the source:

“BeEF is a browser exploitation framework. This tool will demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers.”

Recently I saw BeEF in action, showing how it can be used with a Cross Site Scripting (XSS) attack to silently turn an unsuspecting user’s browser session into a Zombie that does the hackers bidding, all without the victim ever knowing anything.

Imagine someone getting you to commit crimes, steal for them, or whatever they wanted all while you thought you were doing something else, it was a serious eye-opener. There are lots of tutorials to show you how to use BeEF: http://www.bindshell.net/tools/beef/tutorials

Now that I have your attention it’s time to start thinking about hacking and how to avoid becoming a victim. Learn about the tools available, the threats that are common, and what you can do to prevent them. Consider taking one of the many courses offered from the SANS Institute, believe me it will be worth it!

You Cannot Stop a Hacker

Securing your applications, network, and everything in between involves implementing staggered levels of security (known as a “Defense In Depth” strategy), each a small deterrent that when combined together create a defensive strategy that is quite frankly to much of a pain in the ass for the hacker, resulting in the hacker moving on to easier targets.

The keyword here is “deterrent”, if a hacker wants in they will eventually accomplish their goal, making it take a thousand years, as opposed to a thousandth of a second, is up to you. Visit the SANS Institute, learn what your up against, the threat is real and you will eventually become a victim.