Over the last couple of months we have been actively developing the next version of Anti-XSS library and Security Runtime Engine (SRE). We have added new mitigations that go way beyond the original Cross Site Scripting (XSS) protections of the Anti-XSS Library hence the change in name to the Web Protection Library or WPL.
WPL now includes encoding methods to provide mitigations around LDAP Injection and CSS Injections (Cascading Style Sheets) with several others planned for the future. The runtime protection module includes a new HTTP Module that detects and protects from SQL Injection attempts using a specialized SQL Parser to detect any valid SQL queries in the input.
A quick summary of changes in Web Protection Library v1.0 are;
- New Encoder and Sanitizer classes provide encoding and sanitization functionality respectively
- AntiXss class is marked as obsolete, now generates a warning when compiled using AntiXss but methods work the same for backwards compatibility
- Updated Anti-XSS Module to increase performance
- New SQL Injection detection module to detect SQL Queries in input
- Completely redesigned configuration UI which provides easy editing of configuration files directly from within Visual Studio
- Merged configuration files into sing web.config. Separate antixssmodule.config is not required anymore
- SRE exposes an extensibility API which can be used to build new mitigations
We are really pleased with the significant progress we are making in this space and excited about getting some more community feedback by way of a community technology preview. If you are building ASP.NET web sites you need to be using WPL, period.
In the next couple of weeks we will be providing more information on our blog along with download links and ways to register for the Connect site to provide bugs and DCR’s.