What’s the difference between IOSEC and the Microsoft Anti-Cross Site Scripting Library?


Some users who have been using IOSEC, our internal library for defending against cross-site scripting (XSS) attacks, may be wondering what’s the difference between that library and the Microsoft Anti-Cross Site Scripting Library V1.0 at http://www.microsoft.com/downloads/details.aspx?FamilyID=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en.  



The IOSEC library currently implements encoding protection against XSS attacks conducted through vectors such as HTML, URLs, JavaScript, HtmlAttributes and Visual Basic Script.  The Anti-Cross Site Scripting Library currently provides protection for a subset of those vectors.  Here’s the break down:


 




























XSS Attack Vector


IOSEC


Anti-Cross Site Scripting Library


Html


X


X


URL


X


X


Html Attribute


X


 


JavaScript


X


 


Visual Basic Script


X


 


 


In the 1.0 release of the Anti-Cross Site Scripting Library, only the code to do html and url encoding was provided.  In the coming weeks we’ll be porting the full capabilities of IOSEC, some safe .NET controls to use in web applications plus some feedback from the community to the Anti-Cross Site Scripting Library V1.5.  Check back soon for that release! 


 


Thanks,


 


Kevin Lam


Senior Security Technologist


Application Consulting & Engineering (ACE) Team

Comments (9)

  1. Anonymous says:

    Hi, I’m found this almost by accident.  Do you have more information on exactly what this does?  I’m an XSS researcher and would like any information you could provide.  My email address is on my site.

  2. Anonymous says:

    Recently, Microsoft released the latest update to Anti-Cross Site Scripting tool which is part of a bigger…

  3. Anonymous says:

    Hello!

    I have downloaded Microsoft Anti-Cross Site Scripting Library V1.0, and have a question.

    As I could understand from the documentation, you suggest to use these functions instead of System.Web.HttpUtility methods.

    But I just cannot imagine an attack that shall be prevented by using Anti-XSS library and shall not be prevented by using System.Web.HttpUtility methods!

    Can you give an example? Why not using standard methods?

  4. Anonymous says:

    Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)

  5. Anonymous says:

    [ASP.NET]Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)

  6. Anonymous says:

    [ASP.NET]Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)

  7. Anonymous says:

    The problem

    Back when ASP.NET was first introduced, I had pretty high hopes that the new controls would…

  8. Anonymous says:

    The problem Back when ASP.NET was first introduced, I had pretty high hopes that the new controls would