Welcome to MSDN Blogs Sign in | Join | Help

Microsoft Release new Anti-XSS tool

Microsoft just released a new Anti-XSS tool that works with .NET Framework 1.0, 1.1 and 2.0.  Anytime you echo user input back to the Web Page you are susceptible either persistent or non-persistent cross site scripting attacks.  You can download the tool from: 

 

http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en

 

So what was wrong with using System.Web.HttpUtility.HtmlEncode?  The problem with HttpUtility class is it was based upon deny-list approach—in which I mentioned an earlier blog on the down fall with this approach—versus a Accept-only approach.  As a result of the deny-list approach the HttpUtility.HtmlEncode as only good against the following characters:

  • < 
  • > 
  • &
  • Characters with values 160-255 inclusive 

The Microsoft Anti-XSS tool follows an Accept-only approach in which this tool looks for a finite set of valid input and everything else is considered invalid.  This approach will provide a more comprehensive protection to XSS and reduce the ability to trick HttpUtility.HtmlEncode with canonical representations attacks.

 

You will find that the Anti-XSS tool works much like HttpUtility.HtmlEncode:

  • AntiXSSLibrary.HtmlEncode(string)
  • AntiXSSLibrary.URLEncode(string)

Now all characters will be encoded except for:

  • a-z (lower case)
  • A-Z (upper case)
  • 0-9 (Numeric values)
  • , (Comma)
  • . (Period)
  • _ (Underscore)
  • - (dash)
  • (Space)—Except for URLEncode

 This is a must load download!

Published Thursday, February 23, 2006 3:10 PM by dansellers
Filed under:

Comments

# Microsoft release new tool to counteract cross-site scripting attacks

Thursday, February 23, 2006 5:22 PM by Dana Epp's ramblings at the Sanctuary
Dan's recent post reminded me that Microsoft has been doing some interesting work lately in the field of Anti-XSS. They have even released a new tool today called the Microsoft Anti-Cross Site Scripting Library V1.0 which can be used to provide comprehensive

# re: Microsoft Release new Anti-XSS tool

Thursday, February 23, 2006 8:00 PM by Luke
If i install this on a machine with both .Net 2.0 and 1.1 it seems to only install the 2.0 Assembly.
Is there a way i can get the 1.1 Assembly?

#

Thursday, February 23, 2006 11:09 PM by Christopher Steen
5 Tips for Enjoying the Software Development
Profession [Via: dforbes@yafla.com ]

ASP.NET 2.0 Wizard...

# Vinny Carpenter&#8217;s Link blog &raquo; links for 2006-02-25

Sunday, February 26, 2006 10:19 AM by Vinny Carpenter’s Link blog » links for 2006-02-25
PingBack from http://vinny.wordpress.com/2006/02/25/links-for-2006-02-25/

# Microsoft Anti-Cross Site Scripting Library v1.0

Wednesday, March 01, 2006 1:57 AM by Tom's corner

# re: Microsoft Release new Anti-XSS tool

Friday, March 03, 2006 12:03 AM by dansellers
Hi Luke,

I just found out the current binary of the Anti-XSS tool only supports .NET Fx 2.0.  However, they will be releasing a new binary shortly that will support .NET Fx 1.1 and 1.0

# Microsoft Updated Anti-XSS Tool

Tuesday, March 07, 2006 9:01 PM by Dan Sellers's WebLog
In a recent post I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.&amp;nbsp; However,...

# Microsoft Updated Anti-XSS Tool

Tuesday, March 07, 2006 9:03 PM by Canadian Developers
In a recent&amp;nbsp;post&amp;nbsp;I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.&amp;nbsp;...

# ASP.NET 2.0 and the new HTTP-only property

Tuesday, March 14, 2006 12:04 AM by Dan Sellers's WebLog
To minimize the threat of Cross Site scripting attacks ASP.NET 1.1 introduced the ValidateRequest=&quot;true&quot;...

# user 927

Tuesday, June 10, 2008 3:08 AM by user 927

PingBack from http://jacobnewssite.977mb.com/user927.html

# links for 2008-08-08 [delicious.com] &laquo; Praveen&#8217;s Blog

Friday, August 08, 2008 7:36 PM by links for 2008-08-08 [delicious.com] &laquo; Praveen&#8217;s Blog

PingBack from http://dotnetwitter.wordpress.com/2008/08/08/links-for-2008-08-08-deliciouscom/

New Comments to this post are disabled
 
Page view tracker