Silverlight: Avoiding Cross-Site Scripting Attacks

Cross-site scripting (XSS) describes a vulnerability typically found in Web applications. If steps are not taken to prevent this type of vulnerability, an attacker can inject code (typically JavaScript) into Web pages hosted on different domains. For more information about XSS and other kinds of client vulnerabilities, see Client-side Cross-domain Security. For Silverlight, XSS issues are possible, but less likely than in traditional HTML development. However, an exploited cross-site scripting vulnerability can give the attacker access to any cookies, isolated storage, and authentication data that the browser would normally only give to a legitimate client.

In Silverlight, XSS issues typically occur when attacker-controlled strings are inserted into markup without first validating or escaping the attacker-controlled string.

The following is a list of scenarios when you need to be careful of exposing an XSS vulnerability. Many of the mitigations listed are called out in other sections of this document. However, it is important that you also understand these vulnerabilities in the context of XSS issues.

  1. Loading untrusted XAML with the XamlReader.Load method. You should never load a string or partial string from an unknown user. For more information, see Using XamlReader.Load.
  2. Setting the Xaml property on the RichTextBox control to an attacker-provided string.
  3. Loading an untrusted assembly with the Assembly.Load method.
  4. Creating XML by combining strings. For example, you might do this to create XML to send to a REST service. Use the XmlWriter and XElement classes to create more secure XML. For more information, see Security Considerations (XML Data in Silverlight).
  5. Using Silverlight to create HTML with the classes provided by the System.Windows.Browser namespace, or allowing untrusted access from the Silverlight plug-in to the hosting page. For more information, see the Settings.EnableHTMLAccess property.
  6. Using Silverlight to display attacker-provided HTML with the WebBrowser.NavigateToString method. You can do this only, in an out-of-browser application. Silverlight 4 and later.
  7. Hosting an attacker’s XAP file from your Web server, perhaps by allowing user uploads.

Looking for quality Silverlight Hosting? Look no further than Arvixe Web Hosting!

Tags: , , , , , , | Posted under 3rd Party Software, Programming/Coding | RSS 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *