Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
Microsoft just released a new Anti-XSS tool that works with .NET Framework 1.0, 1.1 and 2.0. Anytime you echo user input back to the Web Page you are susceptible either persistent or non-persistent cross site scripting attacks. You can download the tool from:
So what was wrong with using System.Web.HttpUtility.HtmlEncode? The problem with HttpUtility class is it was based upon deny-list approach—in which I mentioned an earlier blog on the down fall with this approach—versus a Accept-only approach. As a result of the deny-list approach the HttpUtility.HtmlEncode as only good against the following characters:
<
>
&
“
Characters with values 160-255 inclusive
The Microsoft Anti-XSS tool follows an Accept-only approach in which this tool looks for a finite set of valid input and everything else is considered invalid. This approach will provide a more comprehensive protection to XSS and reduce the ability to trick HttpUtility.HtmlEncode with canonical representations attacks.
You will find that the Anti-XSS tool works much like HttpUtility.HtmlEncode:
- AntiXSSLibrary.HtmlEncode(string)
- AntiXSSLibrary.URLEncode(string)
Now all characters will be encoded except for:
- a-z (lower case)
- A-Z (upper case)
- 0-9 (Numeric values)
- , (Comma)
- . (Period)
- _ (Underscore)
- - (dash)
- (Space)—Except for URLEncode
This is a must load download!
Comments
Anonymous
February 23, 2006
Dan's recent post reminded me that Microsoft has been doing some interesting work lately in the field of Anti-XSS. They have even released a new tool today called the Microsoft Anti-Cross Site Scripting Library V1.0 which can be used to provide comprehensiveAnonymous
February 23, 2006
If i install this on a machine with both .Net 2.0 and 1.1 it seems to only install the 2.0 Assembly.
Is there a way i can get the 1.1 Assembly?Anonymous
February 23, 2006
5 Tips for Enjoying the Software Development
Profession [Via: dforbes@yafla.com ]
ASP.NET 2.0 Wizard...Anonymous
February 26, 2006
PingBack from http://vinny.wordpress.com/2006/02/25/links-for-2006-02-25/Anonymous
March 02, 2006
Hi Luke,
I just found out the current binary of the Anti-XSS tool only supports .NET Fx 2.0. However, they will be releasing a new binary shortly that will support .NET Fx 1.1 and 1.0Anonymous
March 07, 2006
In a recent post I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.&nbsp; However,...Anonymous
March 07, 2006
In a recent&nbsp;post&nbsp;I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.&nbsp;...Anonymous
March 13, 2006
To minimize the threat of Cross Site scripting attacks ASP.NET 1.1 introduced the ValidateRequest="true"...Anonymous
June 09, 2008
PingBack from http://jacobnewssite.977mb.com/user927.htmlAnonymous
August 08, 2008
PingBack from http://dotnetwitter.wordpress.com/2008/08/08/links-for-2008-08-08-deliciouscom/