Preventing Cross-site scripting attacks using Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0)!
Syed Aslam Basha here from the Information Security Tools team.
Cross site scripting is one of the biggest threats in web applications. Am not covering “what we can do with cross site scripting”. But rather I would be covering “how to prevent Cross-site scripting attacks using Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0)”.
What is Cross-Site scripting(XSS)?
A website is said to be vulnerable for XSS if proper validation/encoding of input is not done before using/rendering the output. For example, you are taking input from a textbox and without validation/encoding you are embedding in response data(as below).
1: using System;
2: public partial class _Default : System.Web.UI.Page
3: {
4: protected void Button1_Click(object sender, EventArgs e)
5: {
6: String Input = TextBox1.Text;
7:
8: //XSS
9: Response.Write(Input);
10: }
11: }
Set ValidationRequest to false
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" ValidateRequest="false" %>
Run the above code in VS and enter <script>alert("Hello World")</script> in textbox, click on button. You will get “Hello World” alert box indicating your website is vulnerable to XSS.
You can prevent XSS using the Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0). Its an encoding library. It uses the white-listing technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks).
The above example can be re-written and XSS protected as
1: using System;
2: using Microsoft.Security.Application;
3:
4: public partial class _Default : System.Web.UI.Page
5: {
6: protected void Button1_Click(object sender, EventArgs e)
7: {
8: String Input = TextBox1.Text;
9:
10: //Encode untrusted input and write output
11: Response.Write(AntiXss.HtmlEncode(Input));
12: }
13: }
To properly use the Microsoft Anti-Cross Site Scripting Library to protect your ASP.NET Web-applications, you need to:
Step 1: Review the ASP.NET code that generates output
Step 2: Determine whether the output includes untrusted input parameters
Step 3: Determine the encoding method to use
Step 4: Encode output
Microsoft Anti-Cross Site Scripting Library has the following methods useful in different contexts:
HtmlAttributeEncode(String)
Encodes input strings for use in HTML attributes.
Example <hr noshade size=[Untrusted input]>HtmlEncode(String)
Encodes input strings for use in HTML.
Example <a href=”https://www.contoso.com”>Click Here [Untrusted input]</a>JavaScriptEncode(String)
Encodes input strings for use in JavaScript.
Example <script type=”text/javascript”>…
[Untrusted input]
…
</script>
UrlEncode(String)
Encodes input strings for use in universal resource locators (URLs).
Example <a href=”https://search.msn.com/results.aspx?q=[Untrusted input]”>Click Here!</a>VisualBasicScriptEncode(String)
Encodes input strings for use in Visual Basic Script.
Example <script type=”text/vbscript” language=”vbscript”>…
[Untrusted input]
…
</script>
XmlAttributeEncode(String)
Encodes input strings for use in XML attributes.
Example <xml_tag attribute=[Untrusted input]>Some Text</xml_tag>XmlEncode(String)
Encodes input strings for use in XML.
Example <xml_tag>[Untrusted input]</xml_tag>
SHIFT_JIS support for mobile browsers allowing multi byte char encoding. (ex: %NN%NN%NN)
- HtmlAttributeEncode(String, Int32)
Encodes input strings for use in HTML attributes. - UrlEncode(String, Int32)
Encodes input strings for use in universal resource locators (URLs).
MarkAnti-XSSOutput method
- HtmlEncode(String, KnownColor)
Encodes input string and embeds in a SPAN tag to apply color using style attribute. This would be helpful while testing to identify what is encoded and what is not.
Example https://www.foosite.com/default.aspx?MarkAntiXSSOutput=true
You can refer to more articles on Anti-XSS here
-Syed Aslam Basha ( syedab@microsoft.com )
Microsoft Information Security Tools (IST) Team
Test Lead
---------------------------------------------------------
Please leave a comment if the blog post has helped you.