locked
Web API request with Cross-site Scripting attack RRS feed

  • Question

  • User-326437585 posted

    I have below Web API request 

    {

      "type": "MVC_WEB_API",
      "status": "ONGOING",

      "description": "testing request <script> alert('hello) </script> testing again"

    }

    above request body description added script tag with alert. (XSS case, it could be any script which may dangerous vulnerability for this request) 

    Will it be a kind of vulnerability cross-site scripting attack? also how we can prevent such attack for web API request?

    Friday, November 15, 2019 3:43 AM

All replies

  • User61956409 posted

    Hi gadekarcomp,

    Does your API enable consumer to submit html content with scripts? you can try to encode these untrusted data that user submitted.

    And this SO thread discussed similar issue, you can refer to it.

    https://stackoverflow.com/questions/12618432/stopping-xss-when-using-webapi

    Besides, if possible, please clarify more about your scenario/requirement, so that we can understand it better.

    With Regards,

    Fei Han

    Monday, November 18, 2019 7:38 AM