The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes.
New features in this version of the Microsoft Anti-Cross Site Scripting Library include: - An expanded white list that supports more languages - Performance improvements - Performance data sheets (in the online help) - Support for Shift_JIS encoding for mobile browsers - A sample application - Security Runtime Engine (SRE) HTTP module
This blog post contains the results of the Performance testing of Anti-XSS V3.0. These results are also included in the Performance data sheets (in the online help) of Anti-XSS V3.0. Performance testing of the Anti-XSS library was carried out for a sample application that uses AntiXSSLibrary.dll over a varying user load. Under the same load conditions, comparisons of AntiXSSLibrary.dll were done using .NET's HttpUtility.HtmlEncode() as well as with no encoding as a baseline.
Sample Application Overview
The sample ASP.NET application was written to take strings as input and then to output the encoded form of the string using AntiXSSLibrary.dll in the background.
The input string applied on the sample application consisted of
· 64 character string with all safe characters (a-z,A-Z,0-9 etc.)
· 64 character string with approx. 25% of encoding characters
· 128 character string with approx. 25% of encoding characters
· 512 character string with approx. 25% of encoding characters
· 1024 character string with approx. 25% of encoding characters
· 64 character international string (any language like Chinese or Hebrew) with no encoded strings
· 64 character international string (any language like Chinese or Hebrew) with 25% encoded strings
Performance testing of the Anti-XSS library and SRE were carried out in the Microsoft ACE Performance labs. The tests were conducted using 64-Bit and 32-Bit environments. The following are the machine specifications:
Load Test Overview
VSTS 2008 was used to generate a load of 200 concurrent users. The following table depicts the user load distribution:
Each transaction consisted of two ASP.NET requests. For this sample application, one transaction comprised:
1. User logs on to the homepage and enters the string
2. The application returns the encoded version of the string
Load Test Results
For a 200-user concurrent load, the end-to-end transaction time for the AntiXss.HtmlEncode() (yellow "Antixss Encode" in the illustration below) encoding scenario is 3.9 milliseconds in 32-bit web server and 4.2 milliseconds in 64-bit web server. Under the same user load conditions, the end-to-end transaction time for the scenario using HttpUtility.HtmlEncode() (red "Html Encode" in the illustration below) is 3.8 milliseconds and 4.1 milliseconds for 32-bit and 64-bit web servers respectively. Hence, there is only a 0.1 millisecond delta between encoding with the AntiXss.HtmlEncode() and the .NET HttpUtility.HtmlEncode() methods.
In terms of throughput, Anti-XSS generated around 85 ASP.NET Requests/sec in the 32-bit environment. Since each transaction consisted of two ASP.NET requests, the system throughput at a 200-user concurrent load for the Anti-XSS scenario came to 42.5 Requests/sec.
Performance Test Results
· The average transaction time for Anti-XSS under given conditions was obtained as 3.9 and 4.2 milliseconds on 32-bit and 64-bit web servers respectively.
· The average delta between AntiXss.HtmlEncode() and HttpUtility.HtmlEncode() is +0.1 milliseconds per transaction.
· On 200 User concurrent loads, the throughput of the Anti-XSS library is 42.5 and 38 requests per second on 32-bit and 64-bit web servers respectively.