Translate This Page
Common Tasks
Search Form
Tag Cloud
Monthly Archives
Archives

What’s the difference between IOSEC and the Microsoft Anti-Cross Site Scripting Library?

MSDN Blogs > ACE Team - Security, Performance & Privacy > What’s the difference between IOSEC and the Microsoft Anti-Cross Site Scripting Library?

What’s the difference between IOSEC and the Microsoft Anti-Cross Site Scripting Library?

19 Mar 2006 4:41 AM
  • Comments 9

Some users who have been using IOSEC, our internal library for defending against cross-site scripting (XSS) attacks, may be wondering what’s the difference between that library and the Microsoft Anti-Cross Site Scripting Library V1.0 at http://www.microsoft.com/downloads/details.aspx?FamilyID=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en.  

The IOSEC library currently implements encoding protection against XSS attacks conducted through vectors such as HTML, URLs, JavaScript, HtmlAttributes and Visual Basic Script.  The Anti-Cross Site Scripting Library currently provides protection for a subset of those vectors.  Here’s the break down:

 

XSS Attack Vector

IOSEC

Anti-Cross Site Scripting Library

Html

X

X

URL

X

X

Html Attribute

X

 

JavaScript

X

 

Visual Basic Script

X

 

 

In the 1.0 release of the Anti-Cross Site Scripting Library, only the code to do html and url encoding was provided.  In the coming weeks we’ll be porting the full capabilities of IOSEC, some safe .NET controls to use in web applications plus some feedback from the community to the Anti-Cross Site Scripting Library V1.5.  Check back soon for that release! 

 

Thanks,

 

Kevin Lam

Senior Security Technologist

Application Consulting & Engineering (ACE) Team

,
Comments
  • Jason Haley
    19 Mar 2006 7:57 AM
  • RSnake
    19 Mar 2006 1:20 PM
    Hi, I'm found this almost by accident.  Do you have more information on exactly what this does?  I'm an XSS researcher and would like any information you could provide.  My email address is on my site.
  • Dan Sellers's WebLog
    19 Mar 2006 4:09 PM
    Recently, Microsoft released the latest update to Anti-Cross Site Scripting tool which is part of a bigger...
  • aleyush
    14 Apr 2006 9:57 AM
    Hello!

    I have downloaded Microsoft Anti-Cross Site Scripting Library V1.0, and have a question.

    As I could understand from the documentation, you suggest to use these functions instead of System.Web.HttpUtility methods.
    But I just cannot imagine an attack that shall be prevented by using Anti-XSS library and shall not be prevented by using System.Web.HttpUtility methods!
    Can you give an example? Why not using standard methods?
  • 河端善博の .TEXT でウェブログ
    17 May 2006 4:14 AM
    Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
  • Moo がおすすめする Microsoft Visual Web Developer
    18 May 2006 1:15 AM
    [ASP.NET]Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
  • Moo がおすすめする Microsoft Visual Web Developer
    24 May 2006 10:26 PM
    [ASP.NET]Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
  • I may have joined the wrong side
    28 Jun 2006 2:47 PM
    The problem
    Back when ASP.NET was first introduced, I had pretty high hopes that the new controls would...
  • I may have joined the wrong side
    9 Dec 2007 8:11 AM

    The problem Back when ASP.NET was first introduced, I had pretty high hopes that the new controls would

Page 1 of 1 (9 items)