Difference between Microsoft Anti-XSS library and Anti-XSS Security Runtime Engine
Syed Aslam Basha here from the Information Security Tools team.
Anti-XSS library and Anti-XSS Security Runtime Engine (SRE) both protect your website against Cross-Site scripting(XSS) attacks. The difference lies in its usage, implementation and support for different controls.
- Anti-XSS Library provides a set of methods, you can use to protect your application(for more details about “How to prevent XSS attacks using Microsoft Anti-XSS library” refer to my blog post here).
SRE is an HTTP module below the application to encode data on the server side. That means any ASP.NET control which is configured in the AntiXssModule.config file and which has the runat=”server” attribute set can be encoded by the SRE (for more details about “How to prevent XSS using Anti-XSS SRE’ refer to my blog post here). - The Response.Write() method directly writes text to the response stream. Because it can be invoked before PreRender or after PreRender, SRE cannot intercept these calls and so be able to encode the data. Consequently, SRE uses the Page.PreRender event to encode control data. You can mitigate Response.Write vulnerabilities with Anti-XSS library. Ex: Response.Write(AntiXss.HtmlEncode(UntrusttedInput));
- SRE supports suppression and file based exclusion of control encodings.
- If you don’t want to touch and rebuild your code or manually mitigate SRE is the way to go.
- AntiXss methods can be used where SRE might fail to encode the controls for any reason, for example in the above Response.Write case or any custom controls.
- SRE could save time it’s one time three step process to solve XSS attacks, where as with AntiXSS you need to recode the entire code base.
You can refer to more articles on Anti-XSS here
-Syed Aslam Basha ( syedab@microsoft.com )
Microsoft Information Security Tools (IST) Team
Test Lead
---------------------------------------------------------
Please leave a comment if the blog post has helped you.