Wednesday, March 03, 2010

Microsoft’s Anti-XSS Library

I first came across the Anti-XSS library while reading the following post: Cross site scripting and ways to code against it on the IT_Country blog.

So what is it?
According to Microsoft:

AntiXSS 3.1 helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine

Doesnt “System.Web.HttpUtility.HtmlEncode” do that already?
Yes, but there is a difference. The biggest is that HttpUtility.HtmlEncode uses a blacklist, whereas AntiXss.HtmlEncode uses a whitelist. (A whitelist is basically a list of allowed attendees at a party and a blacklist is a list of unallowed people to a party). Obviously a white list is more restrictive and hence more safe. According to Syed Aslam Basha, (Tester on Microsoft’s Information Security Tools Team), these are the differences:

  1. Anti-XSS uses the white-listing technique, sometimes referred to as the principle of inclusions, to provide protection against Cross-Site Scripting (XSS) attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). System.Web.HttpUtility.HtmlEncode and other encoding methods in that namespace use principle of exclusions and encode only certain characters designated as potentially dangerous such as <, >, & and ' characters.
  2. The Anti-XSS Library's list of white (or safe) characters support more than a dozen languages (Greek and Coptic,Cyrillic,Cyrillic Supplement, Armenian, Hebrew, Arabic, Syriac, Arabic Supplement, Thaana, NKo and more)
  3. Anti-XSS library has been designed specially to mitigate XSS attacks whereas HttpUtility encoding methods are created to ensure that ASP.NET output does not break HTML.
  4. Performance - the average delta between AntiXss.HtmlEncode() and HttpUtility.HtmlEncode() is +0.1 milliseconds per transaction.

from: Differences Between AntiXss.HtmlEncode and HttpUtility.HtmlEncode Methods

How do you use it?
Its simple really:

AntiXss.GetSafeHtml: Returns well formed HTML that is XHTML compliant. (if <html> or <body> tags are missing they are added back in).

AntiXss.GetSafeHtmlFragment: Returns well formed HTML fragments (does not try and add <html> or <body> tags).

The AntiXSS library also provides other methods that can be used depending on where you are going to be using the user input data. For example:
AntiXss.HtmlAttributeEncode – used when user input is being used as an attribute inside a HTML tag.
AntiXss.JavaScriptEncode – used when user input data is being used inside <script> tags.
AntiXss.UrlEncode – used when user input is being used in a url.

Correct Sequence of Usage:

According to the documentation, the correct sequence is not to perform the encoding as soon as you start working with the user provided data, but just before presenting the user provided data back to user.

Here is an example from the documentation:

// Correct Sequence **** 
protected void Button1_Click(object sender, EventArgs e) 
{ 
    // Read input String Input = TextBox1.Text; 
    // Process input ... 
    // Encode untrusted input and write output 
    Response.Write(”The input you gave was” + Microsoft.Security.Application.AntiXss.HtmlEncode(Input)); 
}

// Incorrect sequence!!!
protected void Button1_Click(object sender, EventArgs e)
{
    // Read input
    String Input = TextBox1.Text;
    // Encode untrusted input
    Input = Microsoft.Security.Application.AntiXss.HtmlEncode(Input);
    // Process input
    ...
    // Write Output
    Response.Write(”The input you gave was” + Input );
}

AntiXSS Members:

Name

Description

GetSafeHtml

Returns a safe version of HTML page by either sanitizing or removing all malicious scripts.

GetSafeHtmlFragment

Returns a safe version of HTML fragment by either sanitizing or removing all malicious scripts.

HtmlAttributeEncode

Encodes input strings for use in HTML attributes.

HtmlEncode

Encodes a input string before safely sending it to a browser client.

JavaScriptEncode

Encodes input strings for use in JavaScript.

UrlEncode

Encodes input strings for use in universal resource locators (URLs).

VisualBasicScriptEncode

Encodes input strings for use in Visual Basic Script.

XmlAttributeEncode

Encodes input strings for use in XML attributes.

XmlEncode

Encodes input strings for use in XML.

More Info:

CodePlex: AntiXSS 
CodePlex Discussion: http://antixss.codeplex.com/Thread/List.aspx.
AntiXSS 3.2 download: http://www.microsoft.com/downloads/details.aspx?familyid=051EE83C-5CCF-48ED-8463-02F56A6BFC09&displaylang=en
Security Tools Team Blog: http://blogs.msdn.com/securitytools/archive/tags/Anti-XSS/default.aspx
OWASP XSS Prevention Cheat Sheet: OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet

2 comments:

A. Glen said...

Very cool. I didn't know this existed. Thanks!

Naresh Bogavaram said...

Nice & Clean explanation. Thanks!