Syed Aslam Basha here from the Information Security Tools team.
Cross site scripting is one of the biggest threats in web applications. Am not covering “what we can do with cross site scripting”. But rather I would be covering “how to prevent Cross-site scripting attacks using Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0)”.
What is Cross-Site scripting(XSS)?
A website is said to be vulnerable for XSS if proper validation/encoding of input is not done before using/rendering the output. For example, you are taking input from a textbox and without validation/encoding you are embedding in response data(as below).
1: using System;
2: public partial class _Default : System.Web.UI.Page
4: protected void Button1_Click(object sender, EventArgs e)
6: String Input = TextBox1.Text;
Set ValidationRequest to false
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" ValidateRequest="false" %>
Run the above code in VS and enter <script>alert("Hello World")</script> in textbox, click on button. You will get “Hello World” alert box indicating your website is vulnerable to XSS.
You can prevent XSS using the Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0). Its an encoding library. It uses the white-listing technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks).
The above example can be re-written and XSS protected as
2: using Microsoft.Security.Application;
4: public partial class _Default : System.Web.UI.Page
6: protected void Button1_Click(object sender, EventArgs e)
8: String Input = TextBox1.Text;
10: //Encode untrusted input and write output
To properly use the Microsoft Anti-Cross Site Scripting Library to protect your ASP.NET Web-applications, you need to:
Step 1: Review the ASP.NET code that generates output
Step 2: Determine whether the output includes untrusted input parameters
Step 3: Determine the encoding method to use
Step 4: Encode output
Microsoft Anti-Cross Site Scripting Library has the following methods useful in different contexts:
SHIFT_JIS support for mobile browsers allowing multi byte char encoding. (ex: %NN%NN%NN)
You can refer to more articles on Anti-XSS here
-Syed Aslam Basha (firstname.lastname@example.org)
Microsoft Information Security Tools (IST) Team
Please leave a comment if the blog post has helped you.