Robert Hurlbut's Blog

Thoughts on .NET, Security, Architecture, Agility, and Databases.

Syndication

.Company / Other Sites / Other Blogs

.NET Links

.NET Local Boston Events

.NET User Groups in New England

Blogs - .NET

Blogs - Agile

Blogs - Architecture

Blogs - CLR

Blogs - Security

Blogs - SQL Server

Blogs - System.Transactions

Enterprise Services (COM+) Resources

Indigo Resources

Microsoft Security Resources

Presentation resources

Recommended Books

Rotor Resources

Security Resources

Anti-Cross Site Scripting Library for .NET web applications

I heard about this sometime ago, and now it looks like the Microsoft Anti-Cross Site Scripting Library V1.0 has been released [found by way of Jason Haley -- if you have no other RSS feed you subscribe to, get Jason's!]

Cross Site Scripting (XSS) is listed on the OWASP Top Ten list of the most critical web application security vulnerabilities at the #4 spot:

The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user's session token, attack the local machine, or spoof content to fool the user.

More information can be found here: Information on Cross-Site Scripting Security Vulnerability. Also, Keith Brown did several labs recently that are posted on Channel 9; there is one on Cross Site Scripting as well.

The new .NET library from Microsoft indicates it is supported on Windows 2000, Windows XP, and Windows 2003, and can be used with .NET 1.0, .NET 1.1, and .NET 2.0. The library exposes these two methods: HtmlEncode and UrlEncode (taking a single string paramter). These are the same methods as found in the System.Web.HttpUtility namespace in the .NET Framework today.

Why is there a new set of functions? The standard .NET functions use what is called "black-listing" or implementing the "principle of exclusions". This means they look for specific characters to encode only (such as < (less than), > (greater than), & (ampersand), and " (double quote)). While this is good, certain other characters could slip through that could cause problems. The new library takes the opposite approach with a method called "white-listing" or implementing the "principle of inclusions". This means instead of looking for what's bad and filtering it out, the new methods now look for what's good and considers everything else as bad and replaces those characters with their escape character equivalents. I checked this directly through Reflector, and this is happening underneath. I am surprised this wasn't already done in the Framework, especially for .NET 2.0.

Here is a chart that shows what the new library considers "good" characters (from the documentation):

Method

Valid Characters Not Encoded

AntiXSSLibrary.HtmlEncode(string)
  • a-z (Lower case alphabetic)
  • A-Z (Upper case alphabetic)
  • 0-9 (Numbers)
  • , (Comma)
  • . (Period)
  • - (Dash)
  • _ (Underscore)
  •  (Space)

AntiXSSLibrary.UrlEncode(string)
  • a-z (Lower case alphabetic)
  • A-Z (Upper case alphabetic)
  • 0-9 (Numbers)
  • , (Comma)
  • . (Period)
  • - (Dash)
  • _ (Underscore)

If you are writing ASP.NET applications (with any of the .NET Framework versions), take a look at this as a more secure solution to guard against XSS.

Published Thursday, February 23, 2006 11:41 AM by RHurlbut
Filed under: , , ,

Comments

# re: Anti-Cross Site Scripting Library for .NET web applications@ Friday, March 17, 2006 8:07 AM

Hi,

nice blog! I checked out that lib, but can't get it to run. Compiler says: Name 'AntiXSSLibrary' not declared. I found no documentation on the lib that tells me what to do here. Can you provide a hint?

Thx!

by Tester

# re: Anti-Cross Site Scripting Library for .NET web applications@ Friday, March 17, 2006 8:45 AM

Did you add the library to your references (it should be in the bin folder)? Also, what .NET version are you using? I tested an earlier verion that used .NET 2.0, but it has now been updated to be fully compatable with .NET 1.0/1.1.

by Robert Hurlbut