Stopping XSS when using WebAPI

Question

I have a controller which accepts

public class MyModel
{
   [MaxLength(400)]
   public string Message { get; set; }
}

I have a WebApi Post Acti

Answer 1

To protect against the web's security shortcomings:

Try to mitigate damage. Use antiforgery tokens, ensure that you only accept ssl for certain actions. Ensure that cookies are appropriately secured. Overall, minimize the attack surface and put roadblocks to make it harder.

To protect against users input:

Parametrize user input, if you can't parametrize, encode, but be very careful with encoding, many many exploits have been caused by improper encoding. Encoding also depends upon where and how the input is going to be used. Constrain and validate user input, ensure that server only accepts certain domains of input. And as before, understand all the ways the input is going to be used.

Handling response from the web server:

Ensure that you got an OK status from the web server. If you didn't, handle each response appropriately. Generally jquery.ajax gives you the option to handle all the responses with done, fail, always, and statusCode, refernce jquery documentation about how to do this properly.

Three things you need to do:

1. Utilize the @Html.AntiforgeryToken() in your forms and its corresponding [ValidateAntiForgeryTokenAttribute] attribute to decorate your classes and/or methods.

2. Handle input from the user correctly. Everywhere that data is touched, the context needs to be considered if it needs to be encoded or parametrized, or otherwise validated, constrained or modified.

3. Handle the responses from the web server correctly.

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)] public sealed class ValidateAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter { public Task< HttpResponseMessage > ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func< Task< HttpResponseMessage > > continuation) { try { AntiForgery.Validate(); } catch { actionContext.Response = new HttpResponseMessage { StatusCode = HttpStatusCode.Forbidden, RequestMessage = actionContext.ControllerContext.Request }; return FromResult(actionContext.Response); } return continuation(); } private Task< HttpResponseMessage > FromResult(HttpResponseMessage result) { var source = new TaskCompletionSource< HttpResponseMessage >(); source.SetResult(result); return source.Task; } }