AntiXSS Library V3.0 - Test Harness

  • Article

Hi, Anil Chintala here…

In this post I wanted to talk about the new Test Harness application which was released as part of the AntiXSS V3.0 Beta and is available as a free download on MSDN with source code available for download on CodePlex. Test Harness application is created to help the users to quickly get started and validate the successful blocking of XSS issues by the Library and also to measure the enhanced performance claims of the AntiXSS V 3.0 against Microsoft .NET encoding library.

AntiXSS Test Harness is a windows console application that automates the following two categories of tests - XSS validation and performance tests. When executed, AntiXSS Test Harness displays this console menu:

clip_image002

Performance Test Bench uses HtmlEncode() method as a benchmark for measuring performance of the AntiXSS library - AntiXss.HtmlEncoding(…) method against the .NET - HttpUtility.HtmlEncode(…) encoding method. Input strings with a combination of safe and un-safe characters are used as payload to run the automated performance tests.

Choosing Option#1, Performance Test Bench executes performance tests that analyze such metrics as:

  • Input string lengths

  • Encoded output strings

  • and the total time taken for its execution. 

During its run, Performance Test Bench compares the execution times of .NET's HttpUtility.HtmlEncode and AntiXss.HtmlEncode and stores in an output file containing results as displayed in this illustration:

clip_image004

XSS Validation Test Bench demonstrates the successful blocking of cross-site scripts. These tests use a list of XSS exploits as payload for running the automated tests. XSS exploit list are read from a text file, each payload is run through HTMLEncode() method of the library and the encoded output is stored in an output file.

When Option 2 is selected from the above console screen, Test Harness application executes the XSS validation tests and produces the following output file:

clip_image006

Test Harness Application provides a framework for automating the XSS validation and performance evaluation. Primary objective is to help developers and testers to quickly get started and test AntiXSS library for XSS validation and performance. With the availability of source code on CodePlex it also allows advanced users to extend the automated testing capabilities as per your specific requirements.

Thanks and more later…