Tag Archives: Cross-site scripting

CSP (Content Security Policy)

In this post, I’ll practically show you one promising new defense using CSP (Content Security Policy) that can significantly reduce possible XSS (Cross-Site Scripting) attacks in modern web-browsers (currently Chrome 16+ and Firefox 4+)!

I’ll not only block inline/outer scripts but also ask user-agent to auto-generate report for each violated activity it founds that violates my pre-defined policy.

Read full post:

Exploring CSP (Content Security Policy) using ASP.NET MVC

Test online: http://csp.somee.com/

Cross-Origin requests and ASP.NET MVC

We can initiate cross-domain request in our webpage by creating either XMLHttpRequest object or XDomainRequest object. End user’s web-browser will request data from the domain’s server by sending an “Origin” header with the value of origin. If server responds with an “Access-Control-Allow-Origin:* | Origin” then we are permitted to access data; otherwise response will be unauthorized request.

Because we’ve to handle our server response for allowing cross-origin requests; we’ll use BeginRequest event handler in the Global.asax file for adding “Access-Control-Allow-Origin” header in our response.

HttpApplication.BeginRequest event occurs as the first event in the HTTP pipeline chain of execution when ASP.NET responds to a request. The BeginRequest event signals the creation of any given new request. This event is always raised and is always the first event to occur during the processing of a request.

protected void Application_BeginRequest(object sender, EventArgs e)
                "Access-Control-Allow-Origin", "*");    /* HttpContext.Current.Response.AddHeader(
      "http://AllowedDomain.com"); */

Asterisk (*) symbol indicates that request is public; however for the sake of security; we can allow a specific domain. In that case, the server will check whether request’s “Origin” header matches with domain-name that we allowed. So server will block unauthorized requests as soon as possible.

You can validate requests action-level by creating an attribute inherited to “ActionFilterAttribute” and allow only one action method to be accessible from cross-domains.

Support of Cross Browsers

Cross-Origin requests supported on IE8 (Windows 7 version),
Safari 4+
, Chrome and Firefox 3.5+ web-browsers. Preflight or Credential requests are supported on Firefox 3.5+Safari 4+ and Chrome web-browsers; IE8 doesn’t support them. You’ve to use XDomainRequest object for supporting IE8+ for cross-origin requests. IE6 and IE7 are not
supporting cross-origin requests.

For more details: please read Nicholas C. Zakas‘s article: Cross-domain Ajax with Cross-Origin Resource Sharing

Possible Attacks

Same origin used by web browsers
has a most significant protection again attack; however, cross origin requests are mostly vulnerable to attack.

  • CSRF attack: Cross-Site Request Forgery attack. CSRF interacts
    with user credentials and do malicious stuff on behalf of the user. It mostly applied to email accounts.
  • XSS attack: Cross-Site Scripting attack occurs to inject malicious
    data with POST/GET messages.
  • DNS Rebinding attack is interaction with DNS hostnames and networks address. Hacker injects malicious code and executes it; on the server side; server consider hacker’s request as authentic request because hostname matches.
  • Spoofing and re-direction attacks are mostly applied
    to cross-origin requests because server heavily relies upon HTTP headers to determine which site can access resources as well as what action they are permitted to do.

For cross-origin requests’ security: “Ensure user authority cannot be misused or compromised“.

A while ago, I wrote an article “ASP.NET MVC security and hacking: Defense-in-depth“, in which I talked about XSS and CSRF attacks. All of those attacking techniques also apply to cross-origin requests.

There is no definitive way to protect your cross-origin requests however; you can make your requests harder to attack by using some techniques as Google,
Twitter and Facebook are doing with their cross-origin APIs like Twitter‘s tweets APIs; Facebook‘s live stream and comments APIs.