I first came across the Anti-XSS library while reading the following post: Cross site scripting and ways to code against it on the IT_Country blog.
So what is it?
According to Microsoft:
AntiXSS 3.1 helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine
Doesnt “System.Web.HttpUtility.HtmlEncode” do that already?
Yes, but there is a difference. The biggest is that HttpUtility.HtmlEncode uses a blacklist, whereas AntiXss.HtmlEncode uses a whitelist. (A whitelist is basically a list of allowed attendees at a party and a blacklist is a list of unallowed people to a party). Obviously a white list is more restrictive and hence more safe. According to Syed Aslam Basha, (Tester on Microsoft’s Information Security Tools Team), these are the differences:
- Anti-XSS uses the white-listing technique, sometimes referred to as the principle of inclusions, to provide protection against Cross-Site Scripting (XSS) attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). System.Web.HttpUtility.HtmlEncode and other encoding methods in that namespace use principle of exclusions and encode only certain characters designated as potentially dangerous such as <, >, & and ' characters.
- The Anti-XSS Library's list of white (or safe) characters support more than a dozen languages (Greek and Coptic,Cyrillic,Cyrillic Supplement, Armenian, Hebrew, Arabic, Syriac, Arabic Supplement, Thaana, NKo and more)
- Anti-XSS library has been designed specially to mitigate XSS attacks whereas HttpUtility encoding methods are created to ensure that ASP.NET output does not break HTML.
- Performance - the average delta between AntiXss.HtmlEncode() and HttpUtility.HtmlEncode() is +0.1 milliseconds per transaction.
from: Differences Between AntiXss.HtmlEncode and HttpUtility.HtmlEncode Methods
How do you use it?
Its simple really:
AntiXss.GetSafeHtml: Returns well formed HTML that is XHTML compliant. (if <html> or <body> tags are missing they are added back in).
AntiXss.GetSafeHtmlFragment: Returns well formed HTML fragments (does not try and add <html> or <body> tags).
The AntiXSS library also provides other methods that can be used depending on where you are going to be using the user input data. For example:
AntiXss.HtmlAttributeEncode – used when user input is being used as an attribute inside a HTML tag.
AntiXss.JavaScriptEncode – used when user input data is being used inside <script> tags.
AntiXss.UrlEncode – used when user input is being used in a url.
Correct Sequence of Usage:
According to the documentation, the correct sequence is not to perform the encoding as soon as you start working with the user provided data, but just before presenting the user provided data back to user.
Here is an example from the documentation:
// Correct Sequence **** protected void Button1_Click(object sender, EventArgs e) { // Read input String Input = TextBox1.Text; // Process input ... // Encode untrusted input and write output Response.Write(”The input you gave was” + Microsoft.Security.Application.AntiXss.HtmlEncode(Input)); } // Incorrect sequence!!! protected void Button1_Click(object sender, EventArgs e) { // Read input String Input = TextBox1.Text; // Encode untrusted input Input = Microsoft.Security.Application.AntiXss.HtmlEncode(Input); // Process input ... // Write Output Response.Write(”The input you gave was” + Input ); }
AntiXSS Members:
|
Name |
Description |
|---|---|
|
GetSafeHtml |
Returns a safe version of HTML page by either sanitizing or removing all malicious scripts. |
|
GetSafeHtmlFragment |
Returns a safe version of HTML fragment by either sanitizing or removing all malicious scripts. |
|
HtmlAttributeEncode |
Encodes input strings for use in HTML attributes. |
|
HtmlEncode |
Encodes a input string before safely sending it to a browser client. |
|
JavaScriptEncode |
Encodes input strings for use in JavaScript. |
|
UrlEncode |
Encodes input strings for use in universal resource locators (URLs). |
|
VisualBasicScriptEncode |
Encodes input strings for use in Visual Basic Script. |
|
XmlAttributeEncode |
Encodes input strings for use in XML attributes. |
|
XmlEncode |
Encodes input strings for use in XML. |
More Info:
CodePlex: AntiXSS
CodePlex Discussion: http://antixss.codeplex.com/Thread/List.aspx.
AntiXSS 3.2 download: http://www.microsoft.com/downloads/details.aspx?familyid=051EE83C-5CCF-48ED-8463-02F56A6BFC09&displaylang=en
Security Tools Team Blog: http://blogs.msdn.com/securitytools/archive/tags/Anti-XSS/default.aspx
OWASP XSS Prevention Cheat Sheet: OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet
Very cool. I didn't know this existed. Thanks!
ReplyDeleteNice & Clean explanation. Thanks!
ReplyDelete