Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Web API request with Cross-site Scripting attack RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I have below Web API request 

    {

      "type": "MVC_WEB_API",
      "status": "ONGOING",

      "description": "testing request <script> alert('hello) </script> testing again"

    }

    in the request body description added script tag with alert.  Can we say this is kind of vulnerability Cross-site Scripting attack? also how we can prevent such attack for web API request?


    • Edited by Prashant Gadekar Thursday, November 14, 2019 12:33 PM
    • Moved by CoolDadTx Friday, November 15, 2019 2:54 PM ASP.NET related
    Thursday, November 14, 2019 12:32 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    WebAPI has a forum in ASP.NET forums.

    http://forums.asp.net/

    Thursday, November 14, 2019 1:46 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Yeah its a vulnerability.

    One approach is to enable an X-XSS-Protection header. You can do this in the web.config.

    Custom Header as in the following config entry. 
    <httpProtocol>
    <customHeaders>
        <remove name="X-Powered-By" />
        <add name="X-XSS-Protection" value="1; mode=block" />
   </customHeaders>
</httpProtocol>

    And configure the IIS response header as well.

    william xifaras

    Friday, November 15, 2019 1:41 AM