none
Web API request with Cross-site Scripting attack RRS feed

  • Question

  • I have below Web API request 

    {

      "type": "MVC_WEB_API",
      "status": "ONGOING",

      "description": "testing request <script> alert('hello) </script> testing again"

    }

    in the request body description added script tag with alert.  Can we say this is kind of vulnerability Cross-site Scripting attack? also how we can prevent such attack for web API request?


    • Edited by Prashant Gadekar Thursday, November 14, 2019 12:33 PM
    • Moved by CoolDadTx Friday, November 15, 2019 2:54 PM ASP.NET related
    Thursday, November 14, 2019 12:32 PM

All replies

  • WebAPI has a forum in ASP.NET forums.

    http://forums.asp.net/

    Thursday, November 14, 2019 1:46 PM
  • Yeah its a vulnerability.

    One approach is to enable an X-XSS-Protection header. You can do this in the web.config.

    Custom Header as in the following config entry.
    <httpProtocol>
        <customHeaders>
            <remove name="X-Powered-By" />
            <add name="X-XSS-Protection" value="1; mode=block" />
       </customHeaders>
    </httpProtocol>
    

    And configure the IIS response header as well.


    william xifaras

    Friday, November 15, 2019 1:41 AM