Java Script Injection in MVC

I set up a Hello World project based on the webcast found here.  I set up a model, a controller, and a view and tried to run a simple JavaScript injection to see if I could replicate the error.  However, I could not get the attack to work because the MVC layers protection on out of the box.

This is great – but in the name of understanding, I started rolling back the protections to get my attack to work.  I first thought I had to add a ValidateRequest = false in my page and web.config, just as the error page directed.   I added this

<%@ Page Title="" ValidateRequest="false" Language="C#" …

 to the page but I got the same Server Error.  I checked the web.config and found that the ValidateRequest is already off for the pages

<add verb="*" path="*.mvc" validate="false"

 I then realized that I needed to disable validation on the controller like this.

    [ValidateInput(false)]

    public class CommentsController : Controller

That got me closer – I would then enter in tags and the data was persisting to the database:

A quick glance at the auto-generated code in the View told me that the Html.Encode is applied out of the box – which protects you from the script running (< is &lt, etc…)

<%= Html.Encode(Model.CommentDesc) %>

Once I remove the encode statement, I got closer to the desired attack – the JavaScript was running on my page from the data in the database – however, the closing tag was not rendered so I got this error:

And the offending code looked like this:

I am at a high enough wall to stop this endeavor for now.  Suffice to say, with the out of the box features of MVC, sites should be reasonably protected from JavaScript injections.