Microsoft Release new Anti-XSS tool
Microsoft just released a new Anti-XSS tool that works with .NET Framework 1.0, 1.1 and 2.0. Anytime you echo user input back to the Web Page you are susceptible either persistent or non-persistent cross site scripting attacks. You can download the tool from:
So what was wrong with using System.Web.HttpUtility.HtmlEncode? The problem with HttpUtility class is it was based upon deny-list approach—in which I mentioned an earlier blog on the down fall with this approach—versus a Accept-only approach. As a result of the deny-list approach the HttpUtility.HtmlEncode as only good against the following characters:
<
>
&
“
Characters with values 160-255 inclusive
The Microsoft Anti-XSS tool follows an Accept-only approach in which this tool looks for a finite set of valid input and everything else is considered invalid. This approach will provide a more comprehensive protection to XSS and reduce the ability to trick HttpUtility.HtmlEncode with canonical representations attacks.
You will find that the Anti-XSS tool works much like HttpUtility.HtmlEncode:
- AntiXSSLibrary.HtmlEncode(string)
- AntiXSSLibrary.URLEncode(string)
Now all characters will be encoded except for:
- a-z (lower case)
- A-Z (upper case)
- 0-9 (Numeric values)
- , (Comma)
- . (Period)
- _ (Underscore)
- - (dash)
- (Space)—Except for URLEncode
This is a must load download!