Wednesday, October 31, 2012

Anti-Cross Site Scripting (Anti XSS) Library

Microsoft Anti XSS Library :
AntiXSS helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine. Working with customer and partner feedback, AntiXSS incorporates radically and innovatively rethought features, offering you a newer, more powerful weapon against the often employed cross-site scripting (XSS) attack. AntiXSS gives you:

 Improved Performance. AntiXSS has been completely rewritten with performance in mind, and yet retains the fundamental protection from XSS attacks that you have come to rely on for your applications.
Secure Globalization. The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
Standards Compliance. AntiXSS is written to comply with modern web standards. You can protect your web application without adversely affecting its UI.
A Solid Foundation for Developers

 Anti-XSS is a powerful tool in the Microsoft toolbox that mitigates XSS risks. Additionally, Anti-XSS provides a consistent level of security allowing you to focus on solving business problems and not on security problems.

 No matter your development experience level, its online documentation, example code, unit tests, and calling schemes make it easy for you to know how to protect your applications from XSS attacks. Additionally, a performance data sheet helps you plan your secure deployment with full knowledge of how AntiXSS will likely perform in your environment.

 http://msdn.microsoft.com/en-us/security/aa973814.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=28589

Using AntiXSS

Now that you've determined which scenarios require encoding, all that is left to do is add the Microsoft Anti-Cross Site Scripting Library to your project and encode the untrusted input as it is embedded in response data. After you've installed the library you need to add a reference into your project. To do this use the following steps:
  1. Right click the project in the Solution Explorer Window in Visual Studio.
  2. Select the Add Reference ... option from the context menu.
  3. Select the browse tab and select the installation directory, then add the AntiXSSLibrary.dll appropriate for the .NET framework version you are using.
If you have not changed the install directory the library will be in C:\Program Files\Microsoft Information Security\AntiXSS Library v4.2 (32bit OSes) or C:\Program Files (x86)\Microsoft Information Security\AntiXSS Library v4.2 (64bit OSes). This folder will contain 3 directories, one for each version of the .NET framework AntiXSS supports.
Once you've added the reference to the library you will need to adjust your code to use the appropriate encoder. To do this open the files which contain code that writes output then
  1. Add a using directive; using Microsoft.Security.Application;
  2. Change the code which assigns output, for example
    string Name = Request.QueryString["Name"];
    would become
    string Name = Encoder.HtmlEncode(Request.QueryString["Name"]);
Now rebuild your web application and for XSS.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)