Web applications (such as SIF Agents and Zone Integration Servers) that send and receive data have the potential for being attacked using a method called cross-site scripting(or XSS). XSS enables its attackers to embed scripts into the receive pages of the web application and causes unwanted actions to occur in the sending application (or computer). In the recent past, these breaches accounted for more than 80% of all security vulnerabilities.
To avoid such attacks, sending applications (SIF Agents in our case) should follow these guidelines when preparing the data to be sent in their POST strings:
Make sure that the XML message is HTML encoded (this will make replacements such as changing "< " to "<", etc.) — most programming environments have built-in libraries for making this simple. In .NET, the HtmlEncode method and HttpServerUtility classes perform this functionality.
Make sure that any URLs in elements in the message are URL encoded (these might appear in SchoolInfo in the School's Website URL Element or in the StudentPicture object) — In .NET, the UrlEncode method of the HttpUtility and HttpServerUtility classes perform this functionality.
If any element contains HTML (such as in a description), make sure that they do not include anything that is valid in an XML statement.
In Microsoft .NET 4.0 (which the ZIS uses), Microsoft added a layer of protection which guards against XSS attacks. After IIS receives an incoming message and before .NET processes an application's BeginRequest event, it checks for any of the signs that would indicate a cross-site scripting attack. If it finds any, it logs an event in the system error log and discards the message.
From the ZIS's perspective, it never receives the inbound message.
Address 532 Durham Rd., Suite 200 Newtown, PA 18940