Cross-Site Scripting Protection

Protection Module: CrossSiteScripting

Prevents Cross-Site Scripting (XSS) attacks through input validation and output encoding.

Available for:

• ASP.NET Core
• ASP.NET Framework
• Blazor Server

How It Works

XSS Protection validates user input and ensures proper output encoding to prevent malicious script injection.

Detection Methods:

• Script Tag Detection - Identifies <script> tags
• Event Handler Detection - Detects onclick, onerror, etc.
• JavaScript URL Detection - Identifies javascript: URLs
• Data URL Analysis - Detects malicious data URLs
• HTML Entity Encoding Bypass - Identifies encoding evasion
• DOM-based XSS Patterns - Client-side injection detection

Attack Types Detected:

• Stored XSS (persistent)
• Reflected XSS
• DOM-based XSS
• Mutation XSS (mXSS)

Configuration

{
  "protections": {
    "CrossSiteScripting": {
      "enabled": true,
      "action": "block"
    }
  }
}

{
  "protections": {
    "CrossSiteScripting": {
      "enabled": true,
      "action": "block"
    }
  }
}

ASP.NET Core

builder.Services.AddBytehideMonitor(monitor => monitor
    .WithProtection(ProtectionModuleType.CrossSiteScripting, ActionType.Block)
);

builder.Services.AddBytehideMonitor(monitor => monitor
    .WithProtection(ProtectionModuleType.CrossSiteScripting, ActionType.Block)
);

Attack Examples

Stored XSS

<!-- Input: <script>alert('XSS')</script> -->
<!-- Status: BLOCKED -->

<!-- Input: <script>alert('XSS')</script> -->
<!-- Status: BLOCKED -->

Reflected XSS

<!-- URL: /search?q=<img src=x onerror=alert('XSS')> -->
<!-- Status: BLOCKED -->

<!-- URL: /search?q=<img src=x onerror=alert('XSS')> -->
<!-- Status: BLOCKED -->

Event Handler Injection

<!-- Input: <div onmouseover="alert('XSS')">Hover me</div> -->
<!-- Status: BLOCKED -->

<!-- Input: <div onmouseover="alert('XSS')">Hover me</div> -->
<!-- Status: BLOCKED -->

Platform Compatibility

Related Protections

• SQL Injection
• Path Traversal