ASP.NET Anti Cross-Site Scripting Attack Library Released by Dan Wahlin

Home > Blogs > Developer Visual Studio / ASP.NET > ASP.NET Anti Cross-Site Scripting Attack Library Released by Dan Wahlin

ASP.NET Anti Cross-Site Scripting Attack Library Released by Dan Wahlin

Like This Blog 0 Dan Wahlin
Added by November 20, 2010

Cross-Site Scripting (XSS) attacks can led to many different problems depending upon what type of data a user is allowed to enter and what type of data is displayed in a Web page.  By using XSS attacks hackers can steal user data stored in cookies, potentially hi-jack a user's session, plus trigger data to be sent to another site behind the scenes with some simple JavaScript code.

If you're collecting user input in a Web application (who isn't…that's one of the biggest uses of the Web) you definitely need to worry about XSS attacks especially if you allow users to input data which is then displayed somewhere in a page at some point after it is submitted.  Examples would be forums, registration confirmation pages that show what the user entered, blogs, plus many others.  These days its safe to say that all user data should be treated as untrusted especially since bots and other programs can act like a human and submit fake data to try to find holes in an application.

Microsoft recently released a new XSS attack library that makes it really simple to prevent different types of XSS attacks with a minimal amount of code.  The library's main class is called AntiXss and is capable of encoding many different formats from HTML input to QueryString input to XML input.  A complete list of the different types of encodings it handles is shown below:

  • Html Encoding
  • Html Attribute Encoding
  • JavaScript Encoding
  • URL Encoding
  • Visual Basic Script Encoding
  • XML Encoding
  • XML Attribute Encoding

While you can certainly use built-in ASP.NET classes to handle XSS attacks and deal with the different encoding issues shown above, the AntiXss class makes it extremely simple to handle encoding user input without having to know about various .NET classes and methods.  The methods available in the class are shown next:

namespace Microsoft.Application.Security
{

public class AntiXss {

public static string HtmlEncode(string s);
public static string 
HtmlAttributeEncode(string s);
public static string 
JavaScriptEncode(string s);
public static string 
UrlEncode(string s);
public static string 
VisualBasicScriptEncode(string s);
public static string 
XmlEncode(string s);
public static string 
XmlAttributeEncode(string s);
}
}

The ASP.NET XSS library can be downloaded from the following URL:
http://msdn2.microsoft.com/en-us/security/aa973814.aspx

An article discussing the fundamentals of threat modeling as well as how to use the AntiXss class in an ASP.NET page can be found here:
http://msdn2.microsoft.com/en-us/library/aa973813.aspx

 

Videos You May Like

Creating Users and Managing Passwords in Microsoft Office 365

0 675 3

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.   For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365    

JavaScript for C# Developers – September 24, 2014

0 487 3

Is JavaScript worth taking the time to learn if I’m a server-side .NET developer? How much of C# carries over to JavaScript? In this recorded video from Dan Wahlin’s webinar on September 24,2014, Dan answers these questions and more while also discussing similarities between the languages, key differences, and the future of JavaScript (ES6). If … Continue reading JavaScript for C# Developers – September 24, 2014

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 630 5

How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015

Write a Comment

Share your thoughts...

Please fill out the comment form below to post a reply.