Microsoft Release new Anti-XSS tool


Microsoft just released a new Anti-XSS tool that works with .NET Framework 1.0, 1.1 and 2.0.  Anytime you echo user input back to the Web Page you are susceptible either persistent or non-persistent cross site scripting attacks.  You can download the tool from: 


 


http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en


 


So what was wrong with using System.Web.HttpUtility.HtmlEncode?  The problem with HttpUtility class is it was based upon deny-list approach—in which I mentioned an earlier blog on the down fall with this approach—versus a Accept-only approach.  As a result of the deny-list approach the HttpUtility.HtmlEncode as only good against the following characters:




  • < 


  • > 


  • &




  • Characters with values 160-255 inclusive 

The Microsoft Anti-XSS tool follows an Accept-only approach in which this tool looks for a finite set of valid input and everything else is considered invalid.  This approach will provide a more comprehensive protection to XSS and reduce the ability to trick HttpUtility.HtmlEncode with canonical representations attacks.


 


You will find that the Anti-XSS tool works much like HttpUtility.HtmlEncode:




  • AntiXSSLibrary.HtmlEncode(string)


  • AntiXSSLibrary.URLEncode(string)

Now all characters will be encoded except for:




  • a-z (lower case)


  • A-Z (upper case)


  • 0-9 (Numeric values)


  • , (Comma)


  • . (Period)


  • _ (Underscore)


  • – (dash)


  • (Space)—Except for URLEncode

 This is a must load download!

Comments (11)

  1. Dan’s recent post reminded me that Microsoft has been doing some interesting work lately in the field of Anti-XSS. They have even released a new tool today called the Microsoft Anti-Cross Site Scripting Library V1.0 which can be used to provide comprehensive

  2. Luke says:

    If i install this on a machine with both .Net 2.0 and 1.1 it seems to only install the 2.0 Assembly.

    Is there a way i can get the 1.1 Assembly?

  3. 5 Tips for Enjoying the Software Development

    Profession [Via: dforbes@yafla.com ]

    ASP.NET 2.0 Wizard…

  4. MSDN Archive says:

    Hi Luke,

    I just found out the current binary of the Anti-XSS tool only supports .NET Fx 2.0.  However, they will be releasing a new binary shortly that will support .NET Fx 1.1 and 1.0

  5. In a recent post I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.&amp;nbsp; However,…

  6. In a recent&amp;nbsp;post&amp;nbsp;I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.&amp;nbsp;…

  7. To minimize the threat of Cross Site scripting attacks ASP.NET 1.1 introduced the ValidateRequest=&quot;true&quot;…