This Blog URL Has Changed – Please Update Your Readers

Things have been quite on the blog for while. There is a LOT of code being cranked out at the moment as we work towards some deadlines in the summer on various projects. Our team name has also changed from the Connected Information Security Group (CISG) to the Microsoft IT Information Security Tools Team. This…


Getting Help for CAT.NET and Anti-XSS

We now have a discussion forum for users of CAT.NET. There is no official support for these tools but you can ask questions and we will try to help wherever we can! CAT.NET – Anti-XSS –


AntiXSS Library V3.0 – Test Harness

Hi, Anil Chintala here… In this post I wanted to talk about the new Test Harness application which was released as part of the AntiXSS V3.0 Beta and is available as a free download on MSDN with source code available for download on CodePlex. Test Harness application is created to help the users to quickly…


CAT.NET CTP Links Are Live Again!

Download CAT.NET CTP (32 bit here and 64 bit here) Anti-XSS was not affected but for completeness Download Anti-XSS 3.0 Beta (here and source code here) Our sincere apologies.


How the Anti-XSS 3.0 SRE Works

RV again… Last time around we looked at SRE from a conceptual perspective, this time lets look at from a code perspective. Lets trace the program flow and understand in depth what SRE code does. SRE is a HttpModule, the main class file is AntiXssModule.cs which inherits from IHttpModule. In the Init() event of HttpModule…


A Sneak Peak at the Security Runtime Engine

RV here again… Traditionally security fixes are applied to specific pieces of code where a vulnerability exists which usually involves some development and testing effort. Imagine a system where an application is instantly secured by simple configuration. I am specifically talking about ASP.NET applications where Cross site scripting and SQL injection are some of the…


ASP.NET Data Binding and AntiXss Encoding

Hi RV here again… Last time I looked at ASP.NET controls and few common scenarios where you need to use encoding. Couple of weeks back we looked at a sample data binding scenario. This time lets exclusively look at various ASP.NET data binding techniques and how to use AntiXss to encode the output. Scenario #1:…


Which ASP.NET Controls Need HTML Encoding?

RV here… Last time we saw some some real world XSS examples. This time we will look at which common ASP.NET controls require encoding. Some controls in ASP.NET automatically encode certain properties when rendered, not all the controls do the same. We looked at ASP.NET controls during AntiXss development and here are some common controls…


Real World XSS Vulnerabilities in ASP.NET Code

RV here again… From couple of weeks we have been seeing some XSS vulnerabilities in code. Today I wanted to show you guys some real world examples ranging from property assignments, data binding and JavaScript building. For each example, I will offer both the vulnerability and mitigation which is very useful in self reviews….