Search
Wednesday 23 August 2017
  • :
  • :

Handling Razor Scripting Attack And SQL Injection In MVC

Most of the Hacking are happened in Web site through Text Area input control by Scripting Attack and SQL Injection through insert, update and Delete queries.

In Web site anything can be entered by the user in the Input field. For example user can enter the Script tags directly in Text control. It will be triggered when those data are rendered from the page. This will crash the Web site.Through SQL Injection, confident data can be stolen by the hackers.

But Asp.Net MVC razor site will not allow Html tags like “<div>,<a>,<b>”in input Control. If the user enter those Tags in Multiline Text Input control, it will throw an exception. But in Multiline Text control user may feed the rich Text value like Html data, those data needs to be captured.

In this case we need to allow those html data in the Text Area controls, but it should be restricted / eliminated the malicious data.

In older days normally we use Replace () function for eliminating malicious tags “<Script>,</Script>”. To replace those values we need to call Replace () function for each Harmful Tags separately in the code, which is very difficult.

In Asp.net MVC AntiXSS Library is available in Visual studio NuGetPackages. This will be used to eliminate non html tags as well as the SQL queries from the user input.

SQL Injections will be avoided by Linq to SQL using SqlParameters.

This Article will explain how to eliminate the malicious data in simple steps and less coding and also implementing Linq to Sql to avoid SQL Injection.

Create ASP.Net MVC Web application.

Select Empty Project Template.

mvc2

Create Model Class for Create record. Scaffolding technology is used for create the Controller and View for Create and Edit records.

Model Class:

publicclassUserData
    {
        [Key]
publicint UID { get; set; }
publicstring Name { get; set; }
        [AllowHtml]
        [DataType(DataType.MultilineText)]
publicstring Description { get; set; }
    }

To get the Multiline Text,we need to specify the below attribute in the property “Description”.

[DataType(DataType.MultilineText)]

In Multiline Text input, user may feed the Rich Text, so we need to add the below Allow Html attribute in the Model class, otherwise it will throw a server exception.

[AllowHtml]

And need to Add the Validate Input = false in Controller Action Result for Create and Edit function.

[HttpPost]
        [ValidateInput(false)]
publicActionResult Create(UserAdminuseradmin)
        {
if (ModelState.IsValid)
            {
useradmin.LongDesc = anitizer.GetSafeHtmlFragment(useradmin.LongDesc);
db.UserAdminDbContext.Add(useradmin);
db.SaveChanges();
returnRedirectToAction("Index");
            }
return View(useradmin);
        }

To remove the harmful data we need to add the library from  NuGet Packages and convert the input data to safe Html data using the below method.

anitizer.GetSafeHtmlFragment(useradmin.LongDesc);

In Long description I have entered Script tag along with Text “Name” in create view

mvc3

The above code removed the script tag and stored only the Text “Name” in the database.

mvc4

Linq to Sql is used to avoid SQL injection in Asp.Net MVC . The below query is used for insert the User data in Database.

 public void InsertUserData(UserDataModel udata)
         {
             var UD = new UserData()
             {
                 UserID = udata.UserID,,
                 LongDesc = udata.LongDesc
                };
             _dataContext.UsersData.InsertOnSubmit(UD);
             _dataContext.SubmitChanges();
         }

Conclusion

This article is explained by Asp.Net MVC developers at Aegis Softtech. Here MVC experts explain how we can avoid the Script attack and SQL Injection in MVC web site with easy steps.

  1. Script attack will be eliminated by Safe Html Fragment.
  2. SQL Injection will be removed by using Linq to SQL in the model class for Insert and Edit Actions.


Vijay is a compulsive blogger who likes to educate like-minded people on various new technologies and trends. He works with Aegis SoftTech as a software developer and has been developing software for years. Stay Connected to him on Facebook and Google+.