Script injection is security vulnerability, a serious security threat that enables an attacker to inject malicious code in the user interface elements of your Web form of data-driven Web sites.

Wikipedia states, HTML/Script injection is a popular subject, commonly termed Cross-Site Scripting , or XSS . XSS refers to an injection flaw whereby user input to a web script or something along such lines is placed into the output HTML, without being checked for HTML code or scripting.  

Common Tags Prone to Script Injections

The following are some of the most common HTML tags that may be prone to script injection attacks:

<script>

<meta>

<html>

<body>

<embed>

<frame>

<frameset>

<img>

<style>

<link>

<object>

Simulating Script Injection Attacks

In this section we ll write a sample application that demonstrates how script injection takes place.

Follow these steps:
1. Create a new Web site and save it with a name
2. Switch to the design view mode of the Default.aspx file
3. Drag and drop a label, a textbox, and a button control onto the Web form (here s how the mark-up code of your .aspx file will look):

<body>

 <form id="form1" runat="server">

  <div>

    <asp:Label ID="Label1" runat="server"

     Text="Enter your name: "></asp:Label>

    <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>

    <asp:Button ID="Button1" runat="server" Text="Button" />

  </div>

 </form>

</body>

4. Next, set the Default.aspx Web form as the start page of the application

Now type the following in the textbox and click the button control:

<script language="javascript" type="text/javascript" >

window.onload = func(); function func() { alert('Hi'); }

</script>

Preventing Script Injection Attacks

Here are some techniques  you can adopt to avoid script injection attacks in your applications:

1. You can disable request validation in your Web page:

<%@ Page ValidateRequest="false" Language="C#" AutoEventWireup="true"

 CodeFile="Default.aspx.cs" Inherits="_Default" %>

If ValidateRequest is turned off for the Web page, you can type in the same script as we did earlier and click the button control and see that there aren t any errors being displayed.

Note that you can also disable request validation at the application level by turning off ValidateRequest in the pages element of your application s configuration file:

<configuration>

    <appSettings/>

    <connectionStrings/>

    <system.web>

      <pages validateRequest="false"/>

    </system.web>

</configuration>

2. Using Server.HTMLEncode() to encode the user s input

    String strName = Server.HtmlEncode(TextBox1.Text);

  Response.Write("Name: "+strName);

3. Rejecting certain special characters like, "<", ">", "*", "%", "!", "@", etc.
4. Ensuring the correct data is entered in the Web form user interface elements before the form is submitted. Also, you should restrict the user s input to a certain type and number of characters. As an example, if you are accepting a name from a user, it should only contain alphabets, spaces, and dots. You should not allow the user to type in other characters and then submit the input.

Another common form of injection attack is SQL Injection. To learn more about SQL Injection attacks, refer to my article at http://www.aspnetpro.com/newsletterarticle/2006/12/asp200612jk_l/asp200612jk_l.asp.

Conclusion

Script injection attacks are a major concern to the Web development community these days. In this article we ve had a look at what script injection attacks are and why they happen, and we also simulated script injection in a sample application. Lastly, we discussed some of the best practices to prevent script injection attacks in our applications. Happy reading!

Joydip Kanjilal is a Microsoft MVP in ASP.NET. He has more than 12 years of industry experience in IT with more than six years in Microsoft .NET and its related technologies. He is the author of ASP.NET Data Presentation Controls Essentials (Packt Publishing) and SAMS Teach Yourself ASP.NET Ajax in 24 Hours, and has authored articles for some of the most reputable sites, including http://www.asptoday.com, http://www.devx.com, http://www.aspalliance.com, http://www.aspnetpro.com, http://www.sql-server-performance.com, and http://www.sswug.com. Many of these articles have been selected at http://www.asp.net, Microsoft s official site for ASP.NET. Joydip was also a community credit winner at http://www.community-credit.com a number of times. He is currently working as a Lead Architect in a reputable company in Hyderabad, India. He has years of experience in designing and architecting solutions for various domains. His technical strengths include, C, C++, VC++, Java, C#, Microsoft .NET, AJAX, Design Patterns, SQL Server, Operating Systems, and Computer Architecture. Joydip blogs at http://aspadvice.com/blogs/joydip and spends most of his time reading books and blogs, and writing books and articles. His hobbies include watching cricket and soccer and playing chess.