How to avoid website hijacking?

Discussion in 'ASP .Net' started by Anton, Sep 5, 2009.

  1. Anton

    Anton Guest

    hi

    I'm creating a website where people can posts comments etc, i fear that
    someone can post script into the comment field and the script will redirect
    the user to a different website - hijacking my website..

    not sure how to avoid this

    I know it some kind of test I should do on what the user types into the
    comment field, but not sure how to do that test

    any ideas?
    Anton, Sep 5, 2009
    #1
    1. Advertising

  2. Anton

    Patrice Guest

    Do you want to allow some markup ?

    Possible options are :

    - use HTMLEncode, this way *all* markup will be considered as text and will
    be just displayed (you could still recognize http scheme and add the link
    yourself)

    - if you want still to allow some code but not all you'll have to check the
    input for sanity. Try Googling for "html sanitizer". I would recommend a
    white list approach (i.e. rather than searching what is dangerous, all is
    dangerous expect what you allowed). Also be aware of cases such as putting
    javascript: in an src attribute which could perhaps run on some browser...

    - AFAIK some are using special tags such as found in wikis. This way you
    don't allow any HTML markup but still users are able to do some formatting

    #3 would be likely my personal preference i..e comments are NOT html markup
    still [http://www.mysite.com] or [http://mmy.site.com/myimage.png] could be
    turned into a "a" and "img" tag but safely and used with explicit user
    consent by clicking on the link. It is likely easier than avoiding to
    introduce possisbly exploits in the allowed HTML markup.

    --
    Patrice


    "Anton" <no_email> a écrit dans le message de
    news:%...
    > hi
    >
    > I'm creating a website where people can posts comments etc, i fear that
    > someone can post script into the comment field and the script will
    > redirect the user to a different website - hijacking my website..
    >
    > not sure how to avoid this
    >
    > I know it some kind of test I should do on what the user types into the
    > comment field, but not sure how to do that test
    >
    > any ideas?
    >
    Patrice, Sep 5, 2009
    #2
    1. Advertising

  3. Anton

    Scott M. Guest

    The ASP .NET engine contains code to check for cross site scripting attacks
    and does this automatically for you. You don't need to worry about scripts
    being entered into your controls.

    -Scott


    "Anton" <no_email> wrote in message
    news:%...
    > hi
    >
    > I'm creating a website where people can posts comments etc, i fear that
    > someone can post script into the comment field and the script will
    > redirect the user to a different website - hijacking my website..
    >
    > not sure how to avoid this
    >
    > I know it some kind of test I should do on what the user types into the
    > comment field, but not sure how to do that test
    >
    > any ideas?
    >
    Scott M., Sep 5, 2009
    #3
  4. Anton

    Patrice Guest

    > The ASP .NET engine contains code to check for cross site scripting
    > attacks and does this automatically for you. You don't need to worry
    > about scripts being entered into your controls.


    Works but if you do nothing then you can't use < or > which could be a
    problem depending on the kind of comments you expect (if the site is about
    HTML or programming it won't fit as is...). I agree though this is where the
    OP should start...

    --
    Patrice
    Patrice, Sep 5, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    471
  2. Kevin

    Session Hijacking?

    Kevin, Oct 26, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    735
    Kevin
    Oct 27, 2004
  3. Hope Paka
    Replies:
    13
    Views:
    1,085
    =?Utf-8?B?RG9uYWxkIFNjb3R0?=
    Jul 15, 2005
  4. Session Hijacking

    , Feb 9, 2006, in forum: Java
    Replies:
    5
    Views:
    3,015
    JScoobyCed
    Feb 10, 2006
  5. Delanie

    un-"hijacking" a stolen website

    Delanie, Aug 25, 2010, in forum: Javascript
    Replies:
    6
    Views:
    127
    Thomas 'PointedEars' Lahn
    Aug 31, 2010
Loading...

Share This Page