ASP.NET Anti Cross-Site Scripting Attack Library Released by Dan Wahlin
ASP.NET Anti Cross-Site Scripting Attack Library Released by Dan Wahlin
Cross-Site Scripting (XSS) attacks can led to many different problems depending upon what type of data a user is allowed to enter and what type of data is displayed in a Web page. By using XSS attacks hackers can steal user data stored in cookies, potentially hi-jack a user's session, plus trigger data to be sent to another site behind the scenes with some simple JavaScript code.
If you're collecting user input in a Web application (who isn't…that's one of the biggest uses of the Web) you definitely need to worry about XSS attacks especially if you allow users to input data which is then displayed somewhere in a page at some point after it is submitted. Examples would be forums, registration confirmation pages that show what the user entered, blogs, plus many others. These days its safe to say that all user data should be treated as untrusted especially since bots and other programs can act like a human and submit fake data to try to find holes in an application.
Microsoft recently released a new XSS attack library that makes it really simple to prevent different types of XSS attacks with a minimal amount of code. The library's main class is called AntiXss and is capable of encoding many different formats from HTML input to QueryString input to XML input. A complete list of the different types of encodings it handles is shown below:
- Html Encoding
- Html Attribute Encoding
- JavaScript Encoding
- URL Encoding
- Visual Basic Script Encoding
- XML Encoding
- XML Attribute Encoding
While you can certainly use built-in ASP.NET classes to handle XSS attacks and deal with the different encoding issues shown above, the AntiXss class makes it extremely simple to handle encoding user input without having to know about various .NET classes and methods. The methods available in the class are shown next:
namespace Microsoft.Application.Security
{
public class AntiXss {
public static string HtmlEncode(string s);
public static string HtmlAttributeEncode(string s);
public static string JavaScriptEncode(string s);
public static string UrlEncode(string s);
public static string VisualBasicScriptEncode(string s);
public static string XmlEncode(string s);
public static string XmlAttributeEncode(string s);
}
}
The ASP.NET XSS library can be downloaded from the following URL:
http://msdn2.microsoft.com/en-us/security/aa973814.aspx
An article discussing the fundamentals of threat modeling as well as how to use the AntiXss class in an ASP.NET page can be found here:
http://msdn2.microsoft.com/en-us/library/aa973813.aspx
You May Also Like
Cable Testers and How to Use them in Network Environments
0 694 1This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments
How to use the PowerShell Script Analyzer to Clean Up Your Code
0 1236 2In this video, PowerShell instructor Jason Yoder demonstrates how you can use the PowerShell Script Analyzer to help you format your code to best-practices. For instructor-led PowerShell training classes, see our course schedule: Microsoft Windows PowerShell Training Download the PowerShell Analyzer scripts used in this video. <# ╔══════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ PowerShell Script Analyzer ║ … Continue reading How to use the PowerShell Script Analyzer to Clean Up Your Code
How to use AWS CloudFormation templates to automate solutions inside Amazon AWS
0 380 0In the AWS Class here at Interface, we actually build fully automated solutions with AWS CloudFormations. Here’s an overview of using AWS templates using CloudFormation. CloudFormation is basically an “infrastructure-as-code tool” where you can go into a declarative document and define all the resources that you want and feed the document into the CloudFormation … Continue reading How to use AWS CloudFormation templates to automate solutions inside Amazon AWS