Cross-site scripting (XSS) crashes affect Web applications such as ASP.NET Web applications. If you permit unchecked input to be combined with HTML— namely HTML script—the results can be just as devastating as input that is combined with SQL statements. As a easy example, if you ask for a user name and echo the user name to a welcome page, an attacker can take advantage of the unchecked user name by entering a user name that contains HTML, client-side script, or a combination of both.

Create a model application vulnerable to a cross-site scripting assault
The following steps explain how an ASP.NET Web application can be made to execute input.

1. Run Visual Basic .NET, and create a new ASP.NET Web project named ScriptAttack.

2. Add a new WebForm named WelcomePage.Aspx to the project.

3. Rename WebForm1.Aspx to ScriptAttack.Aspx.

4. Add the following controls with their respective names (or IDs) to the ScriptAttack form. Lay out the form similar to the exercise that follows





5. Double-click btnLogon, and add the following code:
Private Sub btnLogon_Click(ByVal sender As System.Object, _
ByVal e As System.EventArgs) _
Handles btnLogon.Click
Response.Redirect(Me.ResolveUrl("WelcomePage.Aspx" ) & _
"?UserName=" & txtUserName.Text)
End Sub

6 Open WelcomePage.Aspx, and place a label named lblWelcome at the top of
the form. Set the lblWelcome.Text property to an empty string. Lay out the form as shown here:




7 Double-click WelcomePage, and add the following code to the Page_Load event:
Private Sub Page_Load(ByVal sender As System.Object, _
ByVal e As System.EventArgs) _
Handles MyBase.Load
’Put user code to initialize the page here
lblWelcome.Text = "Hello, " & Request.QueryString("UserName")
End Sub

8 And then Press F5 to run.

9 Enter your name for the user name, and click Logon. You will be greeted by a page that reads “Hello,” followed by your name. Everything should work as expected. You should see the welcome screen as existed here:





10 lick the back button on your Web browser, and attack the application like a hacker would. Enter the following user name:
<SCRIPT LANGUAGE="VBScript">MsgBox "I’m executing script I didn’t intend to run"</ SCRIPT>

11 Click the Logon button.



You’ll be greeted with one of two different responses, depending on what version of Visual Basic .NET you’re running. If you’re running Visual Basic .NET 2002, you’ll see a message box that reads “I’m executing script I didn’t intend to run,” as shown in the first illustration below. If you’re running Visual Basic .NET 2003, you’ll see an error message that reads “A potentially dangerous Request.Form value was detected from the client…” as shown in the second illustration below.
As you can see, Visual Basic .NET 2003 automatically protects your application from cross-site scripting attacks.