Welcome to MSDN Blogs Sign in | Join | Help

News

  • This blog is provided "AS IS" with no warranties, and confers no rights. Opinions are not necessarily of Microsoft. You can contact the Application Consulting & Engineering Team (ACE Team) by leaving comments, clicking on Contact or Emailing us.

What’s the difference between IOSEC and the Microsoft Anti-Cross Site Scripting Library?

Some users who have been using IOSEC, our internal library for defending against cross-site scripting (XSS) attacks, may be wondering what’s the difference between that library and the Microsoft Anti-Cross Site Scripting Library V1.0 at http://www.microsoft.com/downloads/details.aspx?FamilyID=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en.  

The IOSEC library currently implements encoding protection against XSS attacks conducted through vectors such as HTML, URLs, JavaScript, HtmlAttributes and Visual Basic Script.  The Anti-Cross Site Scripting Library currently provides protection for a subset of those vectors.  Here’s the break down:

 

XSS Attack Vector

IOSEC

Anti-Cross Site Scripting Library

Html

X

X

URL

X

X

Html Attribute

X

 

JavaScript

X

 

Visual Basic Script

X

 

 

In the 1.0 release of the Anti-Cross Site Scripting Library, only the code to do html and url encoding was provided.  In the coming weeks we’ll be porting the full capabilities of IOSEC, some safe .NET controls to use in web applications plus some feedback from the community to the Anti-Cross Site Scripting Library V1.5.  Check back soon for that release! 

 

Thanks,

 

Kevin Lam

Senior Security Technologist

Application Consulting & Engineering (ACE) Team

Posted: Sunday, March 19, 2006 1:41 AM by ACE Team
Filed under: ,

Comments

Jason Haley said:

# March 19, 2006 7:57 AM

RSnake said:

Hi, I'm found this almost by accident.  Do you have more information on exactly what this does?  I'm an XSS researcher and would like any information you could provide.  My email address is on my site.
# March 19, 2006 1:20 PM

Dan Sellers's WebLog said:

Recently, Microsoft released the latest update to Anti-Cross Site Scripting tool which is part of a bigger...
# March 19, 2006 4:09 PM

aleyush said:

Hello!

I have downloaded Microsoft Anti-Cross Site Scripting Library V1.0, and have a question.

As I could understand from the documentation, you suggest to use these functions instead of System.Web.HttpUtility methods.
But I just cannot imagine an attack that shall be prevented by using Anti-XSS library and shall not be prevented by using System.Web.HttpUtility methods!
Can you give an example? Why not using standard methods?
# April 14, 2006 9:57 AM

河端善博の .TEXT でウェブログ said:

Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
# May 17, 2006 4:14 AM

Moo がおすすめする Microsoft Visual Web Developer said:

[ASP.NET]Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
# May 18, 2006 1:15 AM

Moo がおすすめする Microsoft Visual Web Developer said:

[ASP.NET]Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
# May 24, 2006 10:26 PM

I may have joined the wrong side said:

The problem
Back when ASP.NET was first introduced, I had pretty high hopes that the new controls would...
# June 28, 2006 2:47 PM

I may have joined the wrong side said:

The problem Back when ASP.NET was first introduced, I had pretty high hopes that the new controls would

# December 9, 2007 8:11 AM
New Comments to this post are disabled
Page view tracker