XSS – Validating User Input

Server\Passive XSS is when a malicious script or HTML is injected by a hacker, usually through your website, and is then persisted or stored somewhere – this is usually in your database. Then another user views a page that references the content, the website passes the malicious script or HTML to the innocent user’s browser and […]

ASP.NET (Server\Passive) XSS Encoding Code Review

When code reviewing ASP.NET MVC application to prevent passive XSS issues (for an example of an active XSS issue see ASP.NET (Client\Active) XSS) there are two areas broadly to consider, what is 1) being submitted and stored in your db in the first place i.e. prevent anything nasty from being stored in the first place 2) being […]

ASP.NET (Client\Active) XSS

Below is an example of active\client XSS that I ran into sometime ago. Active\client XSS refers to the situation when the user themselves does something to inject malicious code or html into a website that compromises themselves. You are probably thinking why on earth would they do that. Well below is a good example of how a […]