How to check potential XSS characters in C#?

XSS typically involves injecting JavaScript or other code into a website's output to perform unintended actions on behalf of the user.

How to check if query string in URL contains potential XSS characters?

The query string in a URL can contain potential XSS characters, such as `<`, `>`, and other script-related patterns. For example, a URL like `https://example.com/search?term=<script>alert('XSS')</script>` demonstrates a potential XSS vulnerability where malicious scripts could be injected into the web application.

In this case, the query string is:

term=<script>alert('XSS')</script>

You can create a method to check if a given input (such as from a query string, form, or HTTP header) contains potential XSS payloads or dangerous characters. These include common characters used in XSS attacks, such as <, >, ", ', &, =, etc.

For example, check the string contains xss

public static bool HasXssFilterChars(string s)
{
    if (string.IsNullOrEmpty(s))
        return false;

    return s.ToLower().Contains("<") || s.Contains(">") ||
           s.Contains("%3c") || s.Contains("%3e") ||
           s.Contains("＜") || s.Contains("＞") ||
           s.Contains("%ef%bc%9c") || s.Contains("%ef%bc%9e");
}

Usage

string input = Request.QueryString["search"]; // Example input from query string
if (HasXssFilterChars(input))
{
    //Potential XSS detected!
}

If you detect that user input contains potentially dangerous characters or patterns, you can sanitize or escape that input before rendering it in the page or executing it.

For example, in C#, you can escape special characters like <, >, and & to their HTML-encoded equivalents. This ensures that any potentially harmful HTML or JavaScript will not be executed in the browser.

You can use the HttpUtility.HtmlEncode() method from the System.Web namespace to encode user input safely as shown below.

public static string SanitizeInput(string input)
{
    if (string.IsNullOrEmpty(input))
        return string.Empty;
    // Encode the input to prevent execution of any injected HTML or JavaScript
    return HttpUtility.HtmlEncode(input);
}

Usage

string unsafeInput = Request.QueryString["search"];
string safeInput = SanitizeInput(unsafeInput);
// Now render 'safeInput' in your page

You can also use regular expressions to look for specific patterns commonly used in XSS attacks.

For example, looking for <script> tags or javascript: protocols in the input string.

public static bool ContainsXSSUsingRegex(string input)
{
    if (string.IsNullOrEmpty(input))
        return false;
    // Regular expression to match potential XSS patterns
    string pattern = @"<.*?>|javascript:|onerror=|onload=|<script.*?>|</script>";
    var regex = new Regex(pattern, RegexOptions.IgnoreCase);
    return regex.IsMatch(input);
}

A good defense against XSS is to apply a Content Security Policy (CSP). CSP helps mitigate XSS risks by restricting the sources from which scripts can be loaded and executed. However, this is a server-side configuration and not specific to C# code, but it’s worth mentioning as part of a multi-layered security strategy.

For example, in ASP.NET Core, you can configure a CSP in the Startup.cs file:

public void Configure(IApplicationBuilder app)
{
    app.UseCsp(options => options
        .DefaultSources(s => s.Self())
        .ScriptSources(s => s.Self().CustomSources("https://trusted-cdn.com"))
        .StyleSources(s => s.Self().CustomSources("https://trusted-styles.com"));
}

By combining these methods, you can significantly reduce the risk of XSS vulnerabilities in your C# applications.