{"componentChunkName":"component---src-pages-markdown-remark-fields-slug-js","path":"/engineering/anti-xss-middleware-asp-core/","result":{"data":{"markdownRemark":{"id":"ee1d95f0-3d9b-5563-adc3-96257e4b7b61","excerpt":"In this blog, we learn how to implement the AntiXssMiddleware in .NET Core. First, we will understand about the cross-site scripting. Cross-Site Scripting(XSS…","html":"

In this blog, we learn how to implement the AntiXssMiddleware in .NET Core. First, we will understand about the cross-site scripting.

\n

Cross-Site Scripting(XSS)

\n

Cross-site scripting is a security vulnerability and a client-side code injection attack. In this attack, the malicious script is injected into legitimate websites.\nCross-site scripting allows an attacker to act like a victim user and to carry out the actions that the user can perform. The attacker can access the user's data as well.

\n

Implement AntiXssMiddleware in .NET Core

\n

Step 1: Create Asp.NET Core Web Application project in Visual Studio.

\n

Step 2: Select type as API in the next step and create the project. You will find a default controller which is created in the controller folder named as WeatherForecastController.cs

\n

Step 3: Now create a new folder named Middleware in the root directory.

\n

Step 4 : Create a new file AntiXssMiddleware.cs in that Middleware folder.

\n

Step 5: Now add the Newtonsoft.json package into your solution

\n

By doing the above steps you will have below structure in your solution.

\n

\n \n \"Solution\n

\n

Step 6: Now edit the AntiXssMiddlewars.cs file and paste below code.

\n
using System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Linq;\nusing System.Net;\nusing System.Text;\nusing System.Text.RegularExpressions;\nusing System.Threading.Tasks;\nusing Microsoft.AspNetCore.Builder;\nusing Microsoft.AspNetCore.Http;\nusing Newtonsoft.Json;\n\nnamespace AntiXssMiddleware.Middleware\n{\n    public class AntiXssMiddleware\n    {\n        private readonly RequestDelegate _next;\n        private ErrorResponse _error;\n        private readonly int _statusCode = (int)HttpStatusCode.BadRequest;\n\n        public AntiXssMiddleware(RequestDelegate next)\n        {\n            _next = next ?? throw new ArgumentNullException(nameof(next));\n        }\n\n        public async Task Invoke(HttpContext context)\n        {\n            // Check XSS in URL\n                if (!string.IsNullOrWhiteSpace(context.Request.Path.Value))\n                {\n                    var url = context.Request.Path.Value;\n\n                    if (CrossSiteScriptingValidation.IsDangerousString(url, out _))\n                    {\n                        await RespondWithAnError(context).ConfigureAwait(false);\n                        return;\n                    }\n                }\n\n                // Check XSS in query string\n                if (!string.IsNullOrWhiteSpace(context.Request.QueryString.Value))\n                {\n                    var queryString = WebUtility.UrlDecode(context.Request.QueryString.Value);\n\n                    if (CrossSiteScriptingValidation.IsDangerousString(queryString, out _))\n                    {\n                        await RespondWithAnError(context).ConfigureAwait(false);\n                        return;\n                    }\n                }\n\n                // Check XSS in request content\n                var originalBody = context.Request.Body;\n                try\n                {\n                    var content = await ReadRequestBody(context);\n\n                    if (CrossSiteScriptingValidation.IsDangerousString(content, out _)) \n                    {\n                            await RespondWithAnError(context).ConfigureAwait(false);\n                            return;\n                    }\n                    await _next(context).ConfigureAwait(false);\n                }\n                finally\n                {\n                    context.Request.Body = originalBody;\n                }\n        }\n\n        private static async Task<string> ReadRequestBody(HttpContext context)\n        {\n            var buffer = new MemoryStream();\n            await context.Request.Body.CopyToAsync(buffer);\n            context.Request.Body = buffer;\n            buffer.Position = 0;\n\n            var encoding = Encoding.UTF8;\n\n            var requestContent = await new StreamReader(buffer, encoding).ReadToEndAsync();\n            context.Request.Body.Position = 0;\n\n            return requestContent;\n        }\n\n        private async Task RespondWithAnError(HttpContext context)\n        {\n            context.Response.Clear();\n            context.Response.Headers.AddHeaders();\n            context.Response.ContentType = "application/json; charset=utf-8";\n            context.Response.StatusCode = _statusCode;\n\n            if (_error == null)\n            {\n                _error = new ErrorResponse\n                {\n                    Description = "Error from AntiXssMiddleware",\n                    ErrorCode = 500\n                };\n            }\n\n            await context.Response.WriteAsync(_error.ToJSON());\n        }\n    }\n\n    public static class AntiXssMiddlewareExtension\n    {\n        public static IApplicationBuilder UseAntiXssMiddleware(this IApplicationBuilder builder)\n        {\n            return builder.UseMiddleware<AntiXssMiddleware>();\n        }\n    }\n\n\n    /// <summary>\n    /// Imported from System.Web.CrossSiteScriptingValidation Class\n    /// </summary>\n    public static class CrossSiteScriptingValidation\n    {\n        private static readonly char[] StartingChars = { '<', '&' };\n\n        #region Public methods\n\n        public static bool IsDangerousString(string s, out int matchIndex)\n        {\n            //bool inComment = false;\n            matchIndex = 0;\n\n            for (var i = 0; ;)\n            {\n\n                // Look for the start of one of our patterns \n                var n = s.IndexOfAny(StartingChars, i);\n\n                // If not found, the string is safe\n                if (n < 0) return false;\n\n                // If it's the last char, it's safe \n                if (n == s.Length - 1) return false;\n\n                matchIndex = n;\n\n                switch (s[n])\n                {\n                    case '<':\n                        // If the < is followed by a letter or '!', it's unsafe (looks like a tag or HTML comment)\n                        if (IsAtoZ(s[n + 1]) || s[n + 1] == '!' || s[n + 1] == '/' || s[n + 1] == '?') return true;\n                        break;\n                    case '&':\n                        // If the & is followed by a #, it's unsafe (e.g. S) \n                        if (s[n + 1] == '#') return true;\n                        break;\n\n                }\n\n                // Continue searching\n                i = n + 1;\n            }\n        }\n\n        #endregion\n\n        #region Private methods\n\n        private static bool IsAtoZ(char c)\n        {\n            return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z');\n        }\n\n        #endregion\n\n        public static void AddHeaders(this IHeaderDictionary headers)\n        {\n            if (headers["P3P"].IsNullOrEmpty())\n            {\n                headers.Add("P3P", "CP=\\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\\"");\n            }\n        }\n\n        public static bool IsNullOrEmpty<T>(this IEnumerable<T> source)\n        {\n            return source == null || !source.Any();\n        }\n        public static string ToJSON(this object value)\n        {\n            return JsonConvert.SerializeObject(value);\n        }\n    }\n\n    public class ErrorResponse\n    {\n        public int ErrorCode { get; set; }\n        public string Description { get; set; }\n    }\n\n}
\n

In the above file we have created the method for checking the Xss in QueryParam, RequestUri and RequestBody.

\n

Here we have different methods which are as follows:-

\n

ReadRequestBody which is used for reading the RequestBody.

\n

RespondWithAnError which is used for returning the error.

\n

IsDangerousString which is checking if there is any dangerous string like any script in the given string.

\n

Step 7: Edit the Startup.cs file and add below line in Configure method.

\n
app.UseAntiXssMiddleware();
\n

Step 8 : After editing the Startup.cs file will look like below

\n
using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Threading.Tasks;\nusing AntiXssMiddleware.Middleware;\nusing Microsoft.AspNetCore.Builder;\nusing Microsoft.AspNetCore.Hosting;\nusing Microsoft.AspNetCore.HttpsPolicy;\nusing Microsoft.AspNetCore.Mvc;\nusing Microsoft.Extensions.Configuration;\nusing Microsoft.Extensions.DependencyInjection;\nusing Microsoft.Extensions.Hosting;\nusing Microsoft.Extensions.Logging;\n\nnamespace AntiXssMiddleware\n{\n    public class Startup\n    {\n        public Startup(IConfiguration configuration)\n        {\n            Configuration = configuration;\n        }\n\n        public IConfiguration Configuration { get; }\n\n        // This method gets called by the runtime. Use this method to add services to the container.\n        public void ConfigureServices(IServiceCollection services)\n        {\n            services.AddControllers();\n        }\n\n        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.\n        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)\n        {\n            if (env.IsDevelopment())\n            {\n                app.UseDeveloperExceptionPage();\n            }\n\n            app.UseHttpsRedirection();\n            app.UseAntiXssMiddleware();\n            app.UseRouting();\n            app.UseAuthorization();\n            app.UseEndpoints(endpoints =>\n            {\n                endpoints.MapControllers();\n            });\n        }\n    }\n}
\n

Step 9: Now build and run the solution.

\n

As we run the default API which is https://localhost:44369/weatherforecast we will get the below response.

\n
[\n    {\n        "date": "2020-08-21T11:58:40.0289718+05:30",\n        "temperatureC": 27,\n        "temperatureF": 80,\n        "summary": "Sweltering"\n    },\n    {\n        "date": "2020-08-22T11:58:40.0289896+05:30",\n        "temperatureC": 21,\n        "temperatureF": 69,\n        "summary": "Cool"\n    },\n    {\n        "date": "2020-08-23T11:58:40.0289899+05:30",\n        "temperatureC": -20,\n        "temperatureF": -3,\n        "summary": "Hot"\n    },\n    {\n        "date": "2020-08-24T11:58:40.0289901+05:30",\n        "temperatureC": 21,\n        "temperatureF": 69,\n        "summary": "Sweltering"\n    },\n    {\n        "date": "2020-08-25T11:58:40.0289902+05:30",\n        "temperatureC": 2,\n        "temperatureF": 35,\n        "summary": "Balmy"\n    }\n]
\n

Now if we inject any script in the above url like https://localhost:44369/weatherforecast<script></script> we will get the response as

\n
{\n    "ErrorCode": 500,\n    "Description": "Error from AntiXssMiddleware"\n}
\n

Note:

\n
    \n
  1. The default port may be different when you run the project. So change the port accordingly.
    2. \n
  2. You can customize the error message according to your need.
    3. \n
\n

Conclusion

\n

In this blog, we learnt about how to implement AntiXssMiddlware in ASP.NET Core Web Application Project. We have implemented the AntiXssMiddleware in API's QueryParam, ReuqestUri and RequestBody. So if any script is injected in QueryParam, RequestUri or RequestBody then it will give the error.

\n","headings":[{"value":"Cross-Site Scripting(XSS)","depth":2},{"value":"Implement AntiXssMiddleware in .NET Core","depth":2},{"value":"Conclusion","depth":2}],"fields":{"slug":"/engineering/anti-xss-middleware-asp-core/"},"frontmatter":{"metatitle":null,"metadescription":null,"description":null,"title":"Implement AntiXssMiddleware in .NET Core Web","canonical":null,"date":"August 26, 2020","updated_date":null,"tags":["C#","ASP.NET"],"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/813c7a5a008113481ac2c05836830d14/03979/antixss.png","srcSet":"/static/813c7a5a008113481ac2c05836830d14/f5f11/antixss.png 200w,\n/static/813c7a5a008113481ac2c05836830d14/6d133/antixss.png 400w,\n/static/813c7a5a008113481ac2c05836830d14/03979/antixss.png 800w,\n/static/813c7a5a008113481ac2c05836830d14/aca38/antixss.png 1200w,\n/static/813c7a5a008113481ac2c05836830d14/3741a/antixss.png 1600w,\n/static/813c7a5a008113481ac2c05836830d14/ca599/antixss.png 1920w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Hemant Manwani","github":"hemant404","bio":"Hemant Manwani is a Software Engineer at LoginRadius who is interested in how the web works and developer tools that make working with web easier.","avatar":null}}}},"pageContext":{"id":"ee1d95f0-3d9b-5563-adc3-96257e4b7b61","fields__slug":"/engineering/anti-xss-middleware-asp-core/","__params":{"fields__slug":"engineering"}}},"staticQueryHashes":["1171199041","1384082988","1711371485","1753898100","2100481360","229320306","23180105","528864852"]}