Skip to main content

Web Protection Library and XSS attacks

I started using the AntiXSS library that comes with the Microsoft Web Protection Library (WPL), this library gives you several APIs that can be used to protect your application from Cross Site Scripting (XSS).

So, What is an XSS attack?, this is where a malicious user injects scripts into the web page the user is viewing and the script runs as part of the response from compromised web site.

As a simple example, lets say a malicious user enters a comment on a blog post, with the comment he also appends a script that runs for 1000 times where a alert box is displayed.
Now every time a user views the comment section of the particular post, the script would execute.

An extream scenario would be where a user enter a script in the comment box where the script passes on the session id or a cookie of the logged in user to the hacker's web site.

In not these cases, if the input of the comment text box was scanned for any malicious code before saving it to a data source.

WPL supports APIs that will encode inputs and sanitize malicious code.

TO demonstrate how it is easy to use this library, all you have to do is to add a reference to the AntiXSS library and in the Microsoft.Security.Application namespace
you will get a Class called Encoder, this class has several static methods.

One of these methods is Encoder.HtmlEncode

EG Encoder.HtmlEncode(input)

WPL is still in CTP and can be downloaded from the MS site.

By rule, any input that is displayed to the user from an external source, for an example a share database has to go through the encode methods in the Encoder class and
any HTML that is displayed to the user composed form user inputs like query strings ot input fields need to be encoded before be show to the user and also these values have to encoded if they are persisted to in a data store.

ASP.NET by default supports input validation, by default this is enabled, and will not accept any malicious characters (like script and tags) from inputs, if they are present an exception is thrown.

WPL also comes with the Security Runtime Engine (SRE), this is a again a component that can be used to implicitly protect your application from XSS and SQ Injection attacks.

TO configure SRE, you can use the SRE configuration generator windows application.
You can point to an existing web.config file and add Encoded types, that is what types of controls needs to be encoded by SRE.

And that's it you are done, you application is protected from SQL injection and XSS.

Comments

Post a Comment

Popular posts from this blog

Hosting WCF services on IIS or Windows Services?

There came one of those questions from the client whether to use II7 hosting or windows service hosting for WCF services. I tried recollecting a few points and thought of writing it down. WCF applications can be hosted in 2 main ways - In a Windows service - On IIS 7 and above When WCF was first released, IIS 6 did not support hosting WCF applications that support Non-HTTP communication like Net.TCP or Net.MSMQ and developers had to rely on hosting these services on Windows Services. With the release of IIS 7, it was possible to deploy these Non-Http based applications also on IIS 7. Following are the benefits of using IIS 7 to host WCF applications Less development effort Hosting on Windows service, mandates the creating of a Windows service installer project on windows service and writing code to instantiate the service, whereas the service could just be hosted on IIS by creating an application on IIS, no further development is needed, just the service implementa
4 comments
Read more

The maximum nametable character count quota (16384) has been exceeded

Some of our services were growing and the other day it hit the quote, I could not update the service references, nor was I able to run the WCFTest client. An error is diplayed saying " The maximum nametable character count quota (16384) has been exceeded " The problem was with the mex endpoint, where the XML that was sent was too much for the client to handle, this can be fixed by do the following. Just paste the lines below within the configuration section of the devenve.exe.config and the svcutil.exe.config files found at the locations C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE , C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin Restart IIS and you are done. The detailed error that you get is the following : Error: Cannot obtain Metadata from net.tcp://localhost:8731/ Services/SecurityManager/mex If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address. F
5 comments
Read more

ASP.NEt 2.0 Viewstate and good practices

View state is one of the most important features of ASP.NET because it enables stateful programming over a stateless protocol such as HTTP. Used without strict criteria, though, the view state can easily become a burden for pages. Since view state is packed with the page, it increases size of HTTP response and request. Fortunately the overall size of the __VIEWSTATE hidden field (in ASP.NET 2.0) in most cases is as small as half the size of the corresponding field in ASP.NET 1.x. The content of the _VIEWSTATE field (in client side) represent the state of the page when it was last processed on the server. Although sent to the client, the view state doesn't contain any information that should be consumed by the client. In ASP.NET 1.x, if you disable view state of controls, some of them are unable to raise events hence control become unusable. When we bind data to a grid, server encodes and put whole grid in to view state, which will increase size of view state (proportional to the
Post a Comment
Read more