What’s the difference between IOSEC and the Microsoft Anti-Cross Site Scripting Library?

What’s the difference between IOSEC and the Microsoft Anti-Cross Site Scripting Library?

  • Comments 9

Some users who have been using IOSEC, our internal library for defending against cross-site scripting (XSS) attacks, may be wondering what’s the difference between that library and the Microsoft Anti-Cross Site Scripting Library V1.0 at http://www.microsoft.com/downloads/details.aspx?FamilyID=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en.  

The IOSEC library currently implements encoding protection against XSS attacks conducted through vectors such as HTML, URLs, JavaScript, HtmlAttributes and Visual Basic Script.  The Anti-Cross Site Scripting Library currently provides protection for a subset of those vectors.  Here’s the break down:

 

XSS Attack Vector

IOSEC

Anti-Cross Site Scripting Library

Html

X

X

URL

X

X

Html Attribute

X

 

JavaScript

X

 

Visual Basic Script

X

 

 

In the 1.0 release of the Anti-Cross Site Scripting Library, only the code to do html and url encoding was provided.  In the coming weeks we’ll be porting the full capabilities of IOSEC, some safe .NET controls to use in web applications plus some feedback from the community to the Anti-Cross Site Scripting Library V1.5.  Check back soon for that release! 

 

Thanks,

 

Kevin Lam

Senior Security Technologist

Application Consulting & Engineering (ACE) Team

  • Hi, I'm found this almost by accident.  Do you have more information on exactly what this does?  I'm an XSS researcher and would like any information you could provide.  My email address is on my site.
  • Recently, Microsoft released the latest update to Anti-Cross Site Scripting tool which is part of a bigger...
  • Hello!

    I have downloaded Microsoft Anti-Cross Site Scripting Library V1.0, and have a question.

    As I could understand from the documentation, you suggest to use these functions instead of System.Web.HttpUtility methods.
    But I just cannot imagine an attack that shall be prevented by using Anti-XSS library and shall not be prevented by using System.Web.HttpUtility methods!
    Can you give an example? Why not using standard methods?
  • Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
  • [ASP.NET]Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
  • [ASP.NET]Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
  • The problem
    Back when ASP.NET was first introduced, I had pretty high hopes that the new controls would...
  • The problem Back when ASP.NET was first introduced, I had pretty high hopes that the new controls would

Page 1 of 1 (9 items)