Microsoft Release new Anti-XSS tool

  • [アーティクル]

Microsoft just released a new Anti-XSS tool that works with .NET Framework 1.0, 1.1 and 2.0.  Anytime you echo user input back to the Web Page you are susceptible either persistent or non-persistent cross site scripting attacks.  You can download the tool from: 

 

https://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en

 

So what was wrong with using System.Web.HttpUtility.HtmlEncode?  The problem with HttpUtility class is it was based upon deny-list approach—in which I mentioned an earlier blog on the down fall with this approach—versus a Accept-only approach.  As a result of the deny-list approach the HttpUtility.HtmlEncode as only good against the following characters:

  • <

     

  • >

     

  • &

  • Characters with values 160-255 inclusive

     

The Microsoft Anti-XSS tool follows an Accept-only approach in which this tool looks for a finite set of valid input and everything else is considered invalid.  This approach will provide a more comprehensive protection to XSS and reduce the ability to trick HttpUtility.HtmlEncode with canonical representations attacks.

 

You will find that the Anti-XSS tool works much like HttpUtility.HtmlEncode:

  • AntiXSSLibrary.HtmlEncode(string)
  • AntiXSSLibrary.URLEncode(string)

Now all characters will be encoded except for:

  • a-z (lower case)
  • A-Z (upper case)
  • 0-9 (Numeric values)
  • , (Comma)
  • . (Period)
  • _ (Underscore)
  • - (dash)
  • (Space)—Except for URLEncode

 

This is a must load download!

Comments

  • Anonymous
    February 23, 2006
    Dan's recent post reminded me that Microsoft has been doing some interesting work lately in the field of Anti-XSS. They have even released a new tool today called the Microsoft Anti-Cross Site Scripting Library V1.0 which can be used to provide comprehensive

  • Anonymous
    February 23, 2006
    If i install this on a machine with both .Net 2.0 and 1.1 it seems to only install the 2.0 Assembly.
    Is there a way i can get the 1.1 Assembly?

  • Anonymous
    February 23, 2006
    5 Tips for Enjoying the Software Development
    Profession [Via: dforbes@yafla.com ]

    ASP.NET 2.0 Wizard...

  • Anonymous
    February 26, 2006
    PingBack from http://vinny.wordpress.com/2006/02/25/links-for-2006-02-25/

  • Anonymous
    March 02, 2006
    Hi Luke,

    I just found out the current binary of the Anti-XSS tool only supports .NET Fx 2.0.  However, they will be releasing a new binary shortly that will support .NET Fx 1.1 and 1.0

  • Anonymous
    March 07, 2006
    In a recent post I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.&amp;nbsp; However,...

  • Anonymous
    March 07, 2006
    In a recent&amp;nbsp;post&amp;nbsp;I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.&amp;nbsp;...

  • Anonymous
    March 13, 2006
    To minimize the threat of Cross Site scripting attacks ASP.NET 1.1 introduced the ValidateRequest=&quot;true&quot;...

  • Anonymous
    June 09, 2008
    PingBack from http://jacobnewssite.977mb.com/user927.html

  • Anonymous
    August 08, 2008
    PingBack from http://dotnetwitter.wordpress.com/2008/08/08/links-for-2008-08-08-deliciouscom/