The Connected Information Security Group : Frameworks and Platforms

This Blog URL Has Changed – Please Update Your Readers

cisg — Thu, 16 Apr 2009 17:52:32 GMT

Things have been quite on the blog for while. There is a LOT of code being cranked out at the moment as we work towards some deadlines in the summer on various projects.

Our team name has also changed from the Connected Information Security Group (CISG) to the Microsoft IT Information Security Tools Team. This reflects an increased scope of tools that we are building and areas that we are focusing on so we have updated the blog URL. Well leave all the content as is on this blog but all new content will be posted at the new URL.

As well as news about significant work on CAT.NET and a Beta for TAM 3.0 we plan to start sharing details of the development framework CISF that we are building and a Risk Tracker application; both of which we plan to release open source under an MS-PL license this summer. CISF is a set of reusable components and code from which you can assemble your own security management applications (including gluing various security tools and technology together). It’s built in C# and on the MSFT technology stack (.NET 3.5 (WWF, WCF. ASP.NET etc)), SQL Server 2008 and Windows Server. You can think of Risk Tracker as a “Security Starter Kit” using the CISF; it’s essentially a Risk Tracking application that we have built internally for the corporate information security team which we will generalize and share with the community. You will be able to run it as is or extend it with .NET and the CISF. We plan to extend both tools on a regular basis (quarterly updates) as we improve the tools and technology for internal use.

More news in a few weeks!

You can subscribe to the new blog at http://blogs.msdn.com/securitytools

Cheers!

Mark

ASP.NET Data Binding and AntiXss Encoding

cisg — Wed, 01 Oct 2008 12:50:42 GMT

Hi RV here again...

Last time I looked at ASP.NET controls and few common scenarios where you need to use encoding. Couple of weeks back we looked at a sample data binding scenario. This time lets exclusively look at various ASP.NET data binding techniques and how to use AntiXss to encode the output.

Scenario #1: Eval()

Most common way of data binding in ASP.NET is by using Eval() method. Here is an ASP.NET label control bound to the "Comments" field of the data source.

   1: <!--Usage #1-->

   2: <asp:Label runat="server" ID="CommentsLabel" Text='<%# Eval("Comments") %>' />

   3: <!--Usage #2-->

   4: <asp:Label runat="server" ID="CommentsLabel"

   5:                 Text='<%#DataBinder.Eval(Container.DataItem,"Comments") %>'/>

By definition Eval() method uses reflection to bind the column at runtime this may affect performance of the application. Apart from the performance, as Eval() uses reflection it is generally inadvisable. Instead you should use Container.DataItem directly for binding and wrap it with AntiXss.HtmlEncode method to protect from XSS as shown below.

   1: <asp:Label runat="server" ID="CommentsLabel"

   2: Text='<%#Microsoft.Security.Application.AntiXss.HtmlEncode

   3: (((System.Data.DataRowView)Container.DataItem)["Comments"].ToString()) %>'/>

By using Container.DataItem directly we improve performance and can use AntiXss with it. Note that you can still use AntiXss.HtmlEncode on just the Eval() method.

Scenario #2: Bind()

Bind() is another way of data binding in ASP.NET. Here is the same ASP.NET label control bound to the "Comments" field using Bind().

   1: <asp:Label runat="server" ID="CommentsLabel" Text='<%#Bind("Comments") %>'/>

Bind() is a very special way of data binding in ASP.NET. Unlike Eval() Bind() is not a method call so when ASP.NET compiler encounters Bind() statements, it will generate additional code for data binding. If you look at the code created in the ASP.NET Temporary Files Folder, it in fact has DataBinder.Eval statement. Unfortunately due to this there are limitations on what you can do with a Bind() statement. One limitation is that you cannot wrap Bind() statements with any other method calls.

   1: //Code generated in the temporary file for the Bind() statement

   2: dataBindingExpressionBuilderTarget.Text =

   3: System.Convert.ToString(this.Eval("Comments"),

   4:     System.Globalization.CultureInfo.CurrentCulture);

For more information on this behavior check this blog post. In essence if you use Bind() statements, you should convert the code to use Eval() statements and wrap them with AntiXss library as shown in scenario #1 above.

Scenario #3: <%# %>

In some cases you might want to just bind some data to a control or a html element. This can be achieved by using <%# variable %> and Page.DataBind(). Here is some sample code.

   1: //variable declaration in the code behind file

   2: public string hyperLink="http://www.microsoft.com";

   3: Page.DataBind();

4:

   5: <!--In the ASP.NET page-->

   6: <a href="<%# this.hyperLink %>">Microsoft Corporation</a>

Although this is somewhat a strange way to do this, it sure illustrates the point of data binding. In this case, by simply wrapping the this.hyperLink in AntiXss.HtmlEncode would fix the problem.

   1: <%# Microsoft.Security.Application.AntiXss.HtmlEncode(this.strLocation) %>

As we have seen in the above scenarios Bind() is the only case where you will not be able to protect from XSS using encoding, so the best option is to change the ASP.NET code to use Eval() statement.

There's a LOT More to Building Security Software than Software Security

cisg — Tue, 16 Sep 2008 13:20:53 GMT

Mark Curphey here.....

I often get asked exactly what I do for a living at Microsoft. Many people associate my name with OWASP, my personal blog and software security in general. When I say I am a PUM (Product Unit Manager) and run a team that builds security tools most people understandably assume that we are only focused on software security or application security tools (preventing vulnerabilities or attacks). Part of this of course maybe because the current blogger's on this blog are the Anti-XSS development team! Given we build technology to support the corporate security program the remit is actually pretty wide and software security tools like Anti-XSS and the Threat Modelling tools make up a relatively small part of the portfolio. In the coming weeks we will start to discuss some of the security management tools we are going to be working but I wanted to highlight some of the Microsoft technology we are either using or considering using. Many people forget the sheer range of technology we have available to build feature rich security management applications.

.NET WCF - Windows Communication Foundation - Rich set of API's for building connected systems (think SOA). It includes the ability to build services that talk WS-Security and can do XML digital signatures etc.

.NET WWF - Windows Workflow Foundation - An awesome business process management suite of technologies including process design tools, process execution engines, business rules engines and business activity monitoring technology. If you think BPM is just workflow I encourage you to look hard at BPM technologies. We think BPM will revolutionize the way people manage information security in the future.

BizTalk - Is an integration technology for building SOA's. It includes some BPM capability.

Performance Point - Performance Point is a data analytics and Business Intelligence server. Basically you can pull in data, crunch it and produce reporting (including dashboards). It supports interesting methodologies such as Balanced Score Cards.

CardSpace - InfoCards that can be extended.

Zermatt - new claims based ID management framework that can be used to build claims based authentication and authorization systems. Combine with CardSpace and SmartCards and .......

Codeplex - It's worth noting that there is a great deal of excellent code out on CodePlex such as the Enterprise Library and the Enterprise Services Bus.

Then consider things like ADFS, SharePoint, SQL 2008 (full encryption of the DB on the fly) and its a rich set of technology on which to build applications.

Next week I will walk you through a proof of concept we recently built to explore how some of this technology could be applied to the application security assessment space.

Trip Report : Day Two of Gartner BPM Conference

cisg — Fri, 12 Sep 2008 12:18:43 GMT

Hi Marius here again with highlights from day 2 of the Gartner BPM conference.

Back of the Napkin

You may have heard of the book called The Back of the Napkin: Solving Problems and Selling Ideas with
Pictures. It’s one of the latest books creating a buzz in business community. Dan Roam, the author
of the book presented on how the most daunting business problems can be described simply using
only stick figures in the space of a few square inches available on the back of a napkin. Ultimately,
those who present the problem the best get the funding to proceed with their project. Dan argues that
there are three types of people. Those who immediately jump to the whiteboard and start sketching
in meetings (25% of us), those who are not artistic BUT will highlight what’s interesting (50% of us), and
finally those who are not artistic and simply refuse to participate in the process (the remaining 25%).
Those who highlight don’t come up with new ideas, but they are good at dissecting ideas presented to
them and highlight what really matters. Those who refuse to sketch do so because they understand
that what’s being drawn is far too simplistic to be reality. These people tend to have the most facts on
the problem. When they compare the drawings to their own information, they are turned away from
the conversation. The challenge is to find a way to involve these people, and the solution presented
was to (don’t read if you’re this last type ;-) ) to get them angry enough at the situation that they take
control, cross out the irrelevant information, and find a way to distill their facts into a way that fits onto
the drawing. Dan argues that visual communication transcends language and cultural barriers and can
be used to communicate complex ideas – but these ideas need to be transformed into a combination
of the following: who/what, how much, where, why, how, and when. After talking a bit about
neurobiology, Dan explains that the brain has different visual pathways for each of these types of
information that are all processed in parallel. How can you present each type of information visually?

Just follow this chart:

The story given was that Dan had to present the problem statement around a financial process in
Microsoft. He drew the problem statement on paper using stick figures and didn’t manipulate
the image through Illustrator or any such tool. The execs were impressed because he was able to
easily relate to them and they asked what software he used. Facetiously he replied “Pen and Paper
1.0.” The moral of the story however, is that the more human your presentation, the more human the
response will be.

Next time you need to speak to your customer about pain points, try the following Wong-Baker pain
chart, used in emergency rooms:

BPM Modeling

The next session was about BPM modeling by one of the leaders of the BPMN standard. BPMN is a
powerful standard that can be used to model almost any business scenario. It is an easy to use way to
draw processes designed to be understood and used by business users. It’s limitations include not
being able to model meetings (without resorting to an ad-hoc task) and serializing the model.
Serializing is necessary to be able to save the model in a way that is executable by a workflow engine.
Workarounds to the serialization issue are to export the model as XPDL or BEPL. Despite these issues
BPM vendors are retrofitting their tools to support BPMN 1.1 due to its power in modeling processes
and simplicity for business users. Want to give BPMN for a spin? Try the free tool:
http://bizagi.com/eng/products/ba-modeler/desc-efective.html

Risk Management and Compliance

This was the one must see track session considering what our team does and I had to trade off several other
good presentations to attend this one. The key point delivered was that GRC is a short-term audit-driven need.
Nobody likes compliance (except for those whose jobs are compliance) but thanks to the likes of
Enron and MCI WorldCom we’re in an ever increasing regulatory environment where imposed
regulations continue to grow. Businesses really wants performance and business risk management but
for now they are faced with immediate needs to track regulatory compliance. GRC tools out there
include some form of process, but they are still stovepipe applications. In the next 4-8 years, expect to
see BPM solutions move into the GRC space. Strengths of BPM in the GRC space are the fact that you
can set risk management workflows, perform policy mapping, model (and simulate) risks and controls,
automate controls, and analyze control effectiveness. In our experience, creating management
workflows and analysis of control effectiveness are some of the hot topics in the risk management
work. The weaknesses of BPM in the GRC space is related to domain knowledge and time to
implement. The primary drivers of GRC implementations today are the need for domain knowledge of
regulatory standards (something that BPM vendors do not have experience in) and a quick audit-
driven solution – customers need a fast solution, not tools that enable them to create solutions. Since
“pure” GRC is a short-term need, the industry will begin to focus more on risk management, and
eventually business performance management. Since BPM is already in the realm of performance
management, the prediction is that BPM suites will start to include risk management and modeling
capability with compliance built-in to ensure that processes created through the tool are in
compliance.

User Interface and Empowerment Disrupts Business Applications

From the start, it was a surprise to see how few people attended the keynote on user interfaces.
Rather, most attended the session on change management instead. Since my double was not available
at the time, I had to pick one or the other and went to the only session related to UX. The problem
statement presented is that the returns on automation are shrinking, mostly due to the fact that business
applications have already squeezed the people out of processes in most places. Many of the
remaining tasks end up being non-routine, highly cognitive, and interactive tasks—and this trend is
growing. In second place are non-routine, highly cognitive, analytic tasks. Both of these types of tasks
are poor candidates for process automation. What should IT to do in these areas? Industry wide, IT is
already being seen as an inhibitor to business change.

The answer is to model processes around business KPIs (not the opposite) and empower the business
user to have information at their fingertips and to “design” their own solution:

• Focus on End-User Flexibility

- Enable end-user process flow design

- Enable end-user-driven creation of apps through configurations, personalization,
mashups, compositions

• Develop a Consumer like Experience

- Embedded user experience that includes Web 2.0 and user productivity like
experience

- Immersive UI, pervasive mobility

• Incorporate Context Into Processes

- Peer-based, ad hoc collaboration enabled

- Community-generated content

- Process and information design presented based on individual need

• Include a Network-Centric Design

- Anyone can participate, from any organization, from any geography

- Architected for high-volume, highly distributed, simultaneous connections

- Information can originate from anyone, anywhere — no boundaries

• Provide Actionable, Intelligent Insights

- Predictive, proactive and context-aware analytics

- External and internal cross-application content

- Structured and unstructured data analysis/synthesis

In the end this is really the people component of people, process, and technology.

Thanks for reading, more tomorrow.

Marius

Trip Report : Day One of Gartner BPM Conference

cisg — Fri, 12 Sep 2008 12:11:00 GMT

Marius Grigoriu here....

I am a Program manager with CISG and in keeping with good program management its straight down to business. Today was the first official day of the Gartner BPM Conference at Washington DC and I am posting daily trip reports. In the Connected Information Security Group we believe that BPM or Business Process Management is key to the future of information security management.

Three recurring themes emerged from the different presentations given today:

1) Staffing

2) Agility

3) Continuous process improvement

Themes:

Staffing:

Getting the right mix of people working on the BPM project is critical for success. Just throwing the smartest people in a room is a recipe for frustration without the proper roles, skills, and authority. At a minimum, BPM projects should include a business process owner, implementation lead, developers, SMEs, and an executive sponsor. The business process owner is the team member belonging to the business who has knowledge of the business process and has the authority to make changes to the process as necessary. The process owner defines the process being input into the BPMS and also drives adoption of the system in the business organization. The implementation lead is much like our program manager role on the CISG team. They work with the business process owner to model the process, collect other requirements, drive the creation of the solution. Somewhat misleading is the title as an implementation lead does not drive adoption within the business, but must work closely with the process owner to accomplish the task. “Developers” are not just devs, but includes the entire team necessary to support the development effort: architecture and design, development, testing, and appropriate management. Not mentioned were the IT operations staff members who should also be included and finally is executive sponsorship. SMEs are the team members who know the most about the as-is process including any undocumented and unofficial processes still necessary to their team’s operations. The executive sponsor must be dedicated and willing to make hard decisions to push the project forward. By nature process decisions are decisions about people’s jobs, which can become contentious at times. It was mentioned that an absent or hesitant executive sponsor is a show stopping danger sign --the executive sponsor must be 100% behind a BPM implementation project to succeed.

Agility:

Multiple speakers have mentioned the important of agility in implementing BPM. First, one of the general goals of BPM is to enable businesses to improve (read change) their processes through the collection of data and to decrease the cost of IT changes (vs. the monolithic LOB app). Thus one of the points of implementing BPM is to facilitate business change and agility. Next is that waiting for perfection in requirements and process documentation/modeling is counterproductive. Teams may contains unknown, unofficial sub-processes which are hard to discover even with SMEs on the team. At some point, perfecting requirements and designs require much more time for an incremental change in value. Playbacks such as rapid prototypes and iterative releases should be used to frequently obtain feedback along the journey. It is important to note that iterative releases are not the same as planned staged releases. The latter is executing on a pre-determined plan created with information from the early phases of the project. The former is about inspecting the work delivered, identifying gaps and areas of improvement, then addressing those issues. A BPM project is not a “once and done” implementation project like many other IT projects that are developed then put into sustained engineering mode. Even after iterations have completed, one or two dedicated resources will need to be available to handle continuous improvement process changes.

Continuous Process Improvement:

Related to agility is CPI, the #1 recurring topic so far and one of the big benefits of implementing BPM. CPI is made possible by the metrics and process visibility created by implementing and running BPM solutions. However this implies that resources need to stay on project after implementation to make the changes resulting from additional process analysis. As processes change, so will the system, and the BPM implementation needs to be build in a way that can accept change. Re-useable components and the use of BPM/rules engines to move away from business logic built-into application code have been mentioned as a way to achieve lower IT change costs.

10 Habits of Successful Organizations Building BPM solutions:

1. Make BPM about productivity AND visibility:

Metrics, KPI, SLAs, should be part of the defining the process
Try not to scope out metrics

2. Integration

Don’t underestimate the effort required to integrate systems and start early
But don’t get bogged down either – don’t let that delay your first project (which should be a low risk, high impact project)
Be ready to trade off integrations that stand in the way of a timely release

3. Never a “one and done” project

Iterative approach to process improvement and bpm systems

4. Don’t skip process analysis

Requirements are not the same as process analysis

5. Take time to deliver value

Taking longer than 90 days to deliver is not a failure
Use timeline as a box in which to deliver your value

6. Build a complete team

7. Self-sufficiency is a priority

FTEs are necessary to build organizational capability
Partially allocated FTEs are not good enough – they need to be committed to the project

8. Fund to value, not just the first release

Big challenge as IT funding tends to be per project usually just for a first release
To obtain the benefits of CPI, maintenance should is not a sleeper like for may be in other applications

9. Force collaboration, use playbacks and iterations to create tangible results for frequent validation

10. Set owners for the program, process, and technology

Thanks for reading, lots more tomorrow.

Marius

UX ≠ UI

cisg — Fri, 29 Aug 2008 11:09:37 GMT

Hi Birm here.....

My name is Ricardo Birmele, but people around here call me “Birm.” I am lucky enough to be the user experience (UX) guy on the CISG team. Like many of us working at Microsoft, I’m an immigrant; in my case flying into the United States from Brasil when I was a kid. In past professional lives I’ve been a Deputy Sheriff, a newspaper reporter, a book author (I wrote the very first of the “Idiot’s Guide” series), and a software developer. I’ve won prizes for UI design and for portrait photography. For fun I play a dog house bass in a community orchestra, go golfing, or SCUBA dive. For sanity I commute to work on a motorcycle. I’ve been a Microsoft FTE for about two and a half years; first running a worldwide training program, and now influencing the user experience effort for CISG.

Enough about me; let’s talk about user experience.

UX is fairly new as cognitive disciplines go. The ideas behind it derive from the sciences of applied psychology, ergonomics, and human factors as practiced by people working in the aircraft industry during World War II. The problem was that equipment then was becoming too complex for people to be able to use it safely. UX began as a way of looking at a collection of entities as being a single object, seeing how that object behaves, and then understanding how people interacted with that object.

People often take UX as being the same thing as user interface (UI), and that’s a miscommunication. An application’s UI certainly has to do with its UX. In truth though, UX as applied to software has to do with everything you perceive about using an application: how pleasing it looks, how well it works, what information it contains, how easy or difficult it is to use, how well it makes your work easier. In short, how our application appeals to you. Or how it doesn’t.

At the end of the day, UX is all about you.

We start our UX work by researching you and people very much like you. We learn all we can about how you go about your job. What information do you need to do it well? What are your pain points? What are your goals? How exactly would you use an application if we built it?

Once we have the answers to these questions, we build a persona: an archetype of a user who represents you and the other people very much like you. Notice that I said a persona is an “archetype” and not a “stereotype.” This is a very important distinction. An archetype is a statistically validated impersonation. Stereotypes are guesses derived from anecdotes.

Personas let us create scenarios: a sequence of actions we think you will perform as you use our application. Scenarios imply a design for a user interface: the pages containing the controls you use manipulate our application. Once we have user interface design, we ask people like you to test its usability, to make certain that this application solves your problem as intuitively as possible. And so it goes…

I think that you can see where I’m heading with this.

In upcoming blogs, I’m going to tell you in detail about all things UX. We’ll look at everything from UX design to UX research. We’ll come to understand some of the theories underlying UX. I’ll show you what makes a good UI design and how to accurately measure usability. We’ll even go into the science of cognition. And when UX makes the news, we’ll talk about that too.

For now though, I hope your take away is the fact that while they’re similar, user experience is not the same thing as a user interface.

UTF-8 Encoding

cisg — Thu, 28 Aug 2008 15:53:59 GMT

Hello there!

My name is Andreas Fuchsberger, I am a developer in the CISG team based in Germany. I joined CISG after a short stint with Assessment, Consulting and Engineering (ACE) Team part of the InfoSec in Microsoft IT. I am a relatively new to Microsoft having joined only 6 months ago coming from academia where I was full-time academic in the internationally renowned Information Security Group at Royal Holloway, University of London. In fact I still teach there on the excellent Masters (MSc) degree programme in Information Security, I teach the optional modules on Software Security.

The Software Security module was developed in response to the industry need to develop more secure software and is strongly based Michael Howard‘s must-read book Writing Secure Code 2^nd Edition and its update Writing Secure Code for Windows Vista®. It received part-funding from the Microsoft Research and the syllabus was constructed in consultation with Fabien Peticolas who headed the then university relations programme and Dieter Gollmann, who was also Microsoft Research at the time. Since designing and teaching the course I have become quite passionate about secure coding and the need to educate all kinds of software developers to learn to code securely from early on their careers. I am a true believer that security is not just a bolt-on that can be added at the end of a project. Expect to see more this one of my favorite topics in the future.

Speaking of secure coding, I note from a recent entry from Michael’s blog that Apache Tomcat has a UTF-8 encoding security bug and its related to the implementation of a standard (RFC 3629). Security standards are another of my favourite topics as I actively participate in a number of SC27 working groups (home of the ISO 27000 series) covering IT Security Technique for the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). I will be posting updates to the happenings of the working groups in the future.

Just in case you are interested, the Tomcat vulnerability comes about from using an invalid but possible UTF-8 encoding of ‘.’ character, this bug is often called “overlong UTF-8 escape". BTW the definitive place for UTF-8 encoding is Section 2.5 “Encoding Forms” and Section 3.9 “ Unicode Encoding Forms ” in the Unicode Standard, a great read if you interested in typesetting, character sets, encoding an similar. This particular problem comes about through the desire create a solution that provides some form of compatibility for legacy systems, a source of many security problems. It also goes to show that using blacklists is not the safest way to check for invalid input. Hackers always seem to be able to find new ways around blacklists that the original designers could not envisage. This is one the many things we are currently contemplating in the design of our new Anti-XSS library. Watch this space for an announcement.

What Does ANTI-XSS Offer for HTML Sanitization?

cisg — Wed, 27 Aug 2008 22:41:00 GMT

Hi Vineet here.....

My name is Vineet Batta and in keeping with the other introductions here are a few words about myself. I have an engineering degree in Electronics & Communication and have spent quite a lot of time doing security reviews in the application space. Before joining Microsoft as an FTE I worked as a consultant to different teams including TWC and MSN operations. As an FTE I have worked extensively on the Threat Modeling and Analysis Enterprise tool since 2007. I have always enjoyed breaking applications to expose security vulnerabilities and then designing creative solutions to fix them.

My favourite phrase of the moment is;

"Social engineering bypasses all technologies, including firewalls"

To support rich user experiences, increasingly web applications are required to input data in a rich text format. That means the ability to apply formatting basics like bold, color, embedding hyperlinked URL's etc. This can however lead to potential XSS exploits from vulnerabilities, if a malicious payload is embedded in this rich text.

Content filtering is one of the most important steps we can take to protect our customers and this filtering must apply to all user content which will be displayed in the software client. Items stored in a user’s data store can sometimes inadvertently contain nasty attack vectors, referred to as Persistent Cross Site Scripting. It is the client’s responsibility to protect the user and the users system from these attacks.

The Anti-XSS library also sanitizes tainted/unsafe HTML and emits "safe HTML". In its processing it makes formatting changes that means if the HTML document is not well formed (unbalanced tags or missing tags), it will correct it. To output safe HTM a white list based approach is used. The Anti-XSS library addresses these issues by exposing SafeHtml and SafeHtmlFragment methods.

~~Example 1: Usage of SafeHtml method.~~

~~If the input HTML stream is~~

   1: <html>   2: <head>   3:     <title>CISG test page</title>   4: </head>   5: <body>   6:     <table>   7:         <tr>   8:             <td>   9:                 XSS TEST <a> My mail box <script>   1:  type='text/javascript' > alert("BAD CODE");" </script> </a>  10:                 <!-- There is a script injection as above. -->  11:                 <!-- The closing <td> element is missing. -->  12:         </tr>  13:     </table>  14: </body>  15: </html>

~~Note the following:~~
1. The html has closing<td> element missing.
2. The already injected script is part of the input stream
<script type="text/javascript" > alert("BAD CODE"); </script>

Call one of the GetSafeHtml() methods from overloaded list as below:

AntiXss.GetSafeHtml(stringReader, stringWriter);
//stringWriter will hold the output.

~~The output will be well formed HTML and that is (X)HTML compliant~~

   1: <html>   2: <head>   3:     <title>CISG test page</title>   4: </head>   5: <body>   6:     <table>   7:         <tr>   8:             <td>   9:                 XSS TEST <a> My mail box </a>  10: <!-- There was script that is purged from the output. -->  11: <!-- The closing <td> element is NOT missing. -->  12:             </td>  13:         </tr>  14:     </table>  15: </body>  16: </html>

That's it , so easy to use and useful . :-). Note that even if <html><body> were to be missing from input stream, call to this method would have added these to form a well form HTML document.

~~Example 2: Usage of SafeHtmlFragment method.~~

As the name suggest SafeHtmlFragment is used if you must output only a fragment of the HTML body content and not the entire HTML document.The method will not output any <html><body> elements if they are missing.

~~Consider the unsafe input as below:~~

<a href="http://www.contoso.com"> You won the lottery <script language="javascript" > var a = document.cookie;
</script> </a>

~~Call one of the GetSafeHtmlFragment methods from overloaded list as below:~~

AntiXss.GetSafeHtmlFragment(stringReader, stringWriter);
//stringWriter will hold the output.

~~The output will be:~~

~~<div> <a href="http://www.contoso.com"> You won the lottery </a> </div>~~

~~As you can see the output is rendered harmless and valid.~~

It is worth nothing that this approach is different from HTMLEncoding. In encoding all unsafe characters are encoded to be rendered as harmless characters in the users browser. Using SafeHtmlFragment you actually purge the dangerous/unsafe script and replace it with white spaces.

More from me next week when we start to explore the next generation of Anti- XSS technology we are working on.

What is the Microsoft Anti-XSS Library?

cisg — Tue, 26 Aug 2008 11:05:53 GMT

RV here.....

My full name is Anil Kumar Venkata Revuru but people call me RV around here. I am a Senior Software Development Engineer (SDE in MSFT speak) for CISG where I am responsible for architecting security tools. In my past life at Microsoft I conducted security design reviews, threat modeling, application and source-code assessments. I hold a Diploma in Mechanical Engineering from JNTU Hyderabad and I made significant contribution to the security development of products at V-Empower Inc. I am also the author of Microsoft Threat Analysis and Modeling Tool used for application threat modeling. You can find my personal blog at http://blogs.msdn.com/codejunkie.

For my first post I thought I would provide an overview of the Anti-XSS library as it stands today. As Mark mentioned in the first post we have a team working on the next generation of this technology and well be blogging about that in the coming weeks. The Microsoft Anti Cross Site Scripting Library (AntiXSS) is an encoding library, designed and developed by CISG team at Microsoft in conjunction with the ACE Team. It is designed to help developers protect their Web-based applications from XSS attacks. This library is very different from most encoding libraries, it uses the principle-of-inclusions technique to provide protection against XSS attacks. This approach works by defining a valid or allowable set of characters, and encoding anything outside this set (invalid characters or potential attacks). It offers several advantages over other encoding schemes.

AntiXSS library encoding scheme uses the following white list for passing the safe characters and will encode all other characters.

a-z, A-Z, 0-9
space, period, comma, hyphen and underscore

Before we look at how AntiXSS works, lets look at a potential cross site scripting defect and understand how it works. Cross site scripting (XSS) is the most common web application vulnerability and is listed in the Top 10 web application vulnerabilities on OWASP. XSS can also be called HTML injection attack, it occurs when un-validated user input is inserted into HTML output. This allows the attacker to construct a URL with HTML input and get it executed on the browser in the user's context. This attack can be used to extract cookie information, steal sessions, write new html tags, invoke ActiveX controls, etc. Essentially, anything that can be done with a browser can be done with this attack without the user's knowledge.

Many of ASP.NET controls don't encode the input natively, which makes it more important for the developer to encode or validate the input. The following are some examples of this vulnerability.

   1: //This is the classic XSS vulnerability.

   2: Response.Write(Request.Params["input"]);

3:

   4: //Here is another vulnerability using ASP.NET controls

   5: Label1.Text = Request.QueryString["message"];

In the above examples, the input is being direct passed back to output stream. If any HTML such as <script>alert('Hello')</script> will be executed the browser and you will see a message box. Most probably this exploit may be stopped by request validation feature of .NET. There are other exploits which will bypass request validation feature, this feature should be used for defense in depth.

Proper output encoding and good input validation will fix the XSS issue. For output encoding use AntiXSS Library for its comprehensive encoding capabilities. AntiXSS works by looking at all the characters in the input and encoding characters not in the whitelist using standard html entity notation (&#num;). The above script would get encoded as <script>alert('hello');</script>. The following code is the correct implementation of AntiXSS for the above vulnerabilities.

   1: //This is the classic XSS vulnerability.

   2: Response.Write(AntiXss.HtmlEncode(Request.Params["input"]));

3:

   4: //Here is another vulnerability using ASP.NET controls

   5: Label1.Text = AntiXss.HtmlEncode(Request.QueryString["message"]);

Also there are different encoding methods for different context's. For example, if you constructing a URL from user input you should use AntiXss.UrlEncode. The following are different context's and examples.

   1: //HTML Attribute Context

   2: Literal1.Text = "<hr noshade size=" +

   3:         AntiXss.HtmlAttributeEncode(TextBox1.Text) + ">";

4:

   5: //URL Context

   6: String SearchUrl = "http://search.live.com/results.aspx?q=";

   7: Literal1.Text = "<a href=\"" + SearchUrl + AntiXss.UrlEncode(TextBox1.Text) +

   8:                 "\">Example Link</a>";

9:

  10: //JavaScript Context

  11: StringBuilder Str = new StringBuilder();

  12: Str.Append("<script type=\"text/javascript\">\n");

  13: StringArrayConverter StrArrayConv = new StringArrayConverter();

  14: string[] ItemsArray = (string[])StrArrayConv.ConvertFrom(TextBox1.Text);

  15: foreach (string item in ItemsArray)

  16: {

  17:     // Note that JavaScriptEncode adds the starting and end '

  18:     //so we don't need to include them in the code

  19:     Str.Append("listboxItems.push(" +

  20:     Microsoft.Security.Application.AntiXss.JavaScriptEncode(item) + ");\n");

  21: }

  22: Str.Append("FillListBox();\n");

  23: Str.Append("</script>");

  24: Literal1.Text = Str.ToString();

25:

  26: //XML context

  27: // Create XML template

  28: String Xml = "<xml id=\"data\">\n<data>\n<name>{0}</name>\n" +

  29:      "<company>{1}</company>\n<email>{2}</email>\n" +

  30:      "</data>\n</xml>\n";

  31: // Fill template with data provided by user

  32: Literal1.Text = String.Format(Xml, new string[]

  33: {

  34:     Microsoft.Security.Application.AntiXss.XmlEncode(TextBox1.Text),

  35:     Microsoft.Security.Application.AntiXss.XmlEncode(TextBox2.Text),

  36:     Microsoft.Security.Application.AntiXss.XmlEncode(TextBox3.Text)

  37: });

As you see, for specific context you should use that method as each context defines specific encoding pattern. Further information on the usage of AntiXSS is available on MSDN at http://msdn.microsoft.com/en-us/library/aa973813.aspx.

We are working on some significant updates to the library and building some complimentary technology. More from me on that in the coming weeks!

Welcome to the CISG Blog

cisg — Mon, 25 Aug 2008 13:49:12 GMT

Mark Curphey here......

I am the Product Unit Manager (or "PUM" in MSFT speak) for the Connected Information Security Group or CISG. Welcome to our new team blog. We are a software development team of about 35 developers, program managers and testers that supports Microsoft's corporate information security program; itself part of Microsoft IT and I manage the team. We are responsible for designing and building software to support the information security program, a lot of which is or will be released to our customers and the public in general as well as being deployed for our own use. We have built and support a broad portfolio of technology ranging from identity management solutions, security scanning tools, threat modelling tools and development libraries and will be focusing on the security management space in FY09.

You will be hearing a lot more about what we think will be "the next big thing" and about big projects we are working on over the coming months but for the first month or so we plan to share our thoughts and plans to update the Anti-XSS library (and probably some associated tools).

This week well be posting introductions from the team working on Anti-XSS including developers, program managers and a UX designer. From next week onwards well launch into detailed posts on the project that will generally fit into three main categories;

Team and Program Management
Technical Design and Development
User Experience (UX)

Myself and the program managers will share information about how we organize projects, set up Visual Studio Team System to support our development, how we use AGILE and SCRUMM and other program management techniques to track our work as well as discussing the high level project design ideas and industry challenges. The developers themselves will share deep technical and code level thoughts and ideas on the problems they are tackling and our UX guy will explain our thoughts and plans around user experience including developing personas, UI and documentation.

In keeping with the introductions that will follow from other members of the Anti-XSS project team this week here is a short bio about me.

I graduated from Royal Holloway, University of London with a Masters degree in Information Security in the mid-nineties as a mature student; a little late to the party after a "misspent youth"! Royal Holloway is most recently famous as the cryptography school where the cryptographer Sophie Neveu was educated in the best selling novel “The Da’Vinci Code”. After spending several years working at various investment banks in the City of London working on a variety of technical projects including PKI design, Windows NT security, policy development and single sign-on systems, I moved to Atlanta to run a consulting team performing security assessments at Internet Security Systems (now IBM). In late 2000 I took a job at Charles Schwab to create and manage the software security program, essentially creating the equivalent of the SDL program. It was during this period of my life that I started OWASP, the Open Web Application Project which now has over 10,000 members globally and is recommended reading by the Federal Trade Commission and the National Institute for Standards (NIST). In 2003 I joined a small startup called Foundstone to take the experience learnt at Schwab to other Fortune 1000 companies. The company was sold to McAfee in October 2004 and I joined the McAfee executive team reporting directly to the President continuing to run the consulting business. I was awarded the Microsoft MVP for Visual Developer Security in 2005.

In late 2006 I left Foundstone and the States, moved back to Europe and took some timeout to think seriously about designing and developing an information security management platform, work that is continuing in CISG today. I enjoy speaking at conferences, have contributed to several MS Press security books and have worked with the Patterns and Architecture Group (PAG) on threat modelling and code review guidance. I am currently writing a chapter for the O'Reilly book Beautiful Security on designing and building the next generation of security management technology. I have a personal security blog at http://www.securitybuddha.com and am a recent "mid-life crisis" convert to jogging and kite flying.