Over the last couple of months we have been actively developing the next version of Anti-XSS library and Security Runtime Engine (SRE). We have added new mitigations that go way beyond the original Cross Site Scripting (XSS) protections of the Anti-XSS Library hence the change in name to the Web Protection Library or WPL.
WPL now includes encoding methods to provide mitigations around LDAP Injection and CSS Injections (Cascading Style Sheets) with several others planned for the future. The runtime protection module includes a new HTTP Module that detects and protects from SQL Injection attempts using a specialized SQL Parser to detect any valid SQL queries in the input.
A quick summary of changes in Web Protection Library v1.0 are;
We are really pleased with the significant progress we are making in this space and excited about getting some more community feedback by way of a community technology preview. If you are building ASP.NET web sites you need to be using WPL, period.
In the next couple of weeks we will be providing more information on our blog along with download links and ways to register for the Connect site to provide bugs and DCR’s.