Skip to main content

Web Protection Library and XSS attacks

I started using the AntiXSS library that comes with the Microsoft Web Protection Library (WPL), this library gives you several APIs that can be used to protect your application from Cross Site Scripting (XSS).

So, What is an XSS attack?, this is where a malicious user injects scripts into the web page the user is viewing and the script runs as part of the response from compromised web site.

As a simple example, lets say a malicious user enters a comment on a blog post, with the comment he also appends a script that runs for 1000 times where a alert box is displayed.
Now every time a user views the comment section of the particular post, the script would execute.

An extream scenario would be where a user enter a script in the comment box where the script passes on the session id or a cookie of the logged in user to the hacker's web site.

In not these cases, if the input of the comment text box was scanned for any malicious code before saving it to a data source.

WPL supports APIs that will encode inputs and sanitize malicious code.

TO demonstrate how it is easy to use this library, all you have to do is to add a reference to the AntiXSS library and in the Microsoft.Security.Application namespace
you will get a Class called Encoder, this class has several static methods.

One of these methods is Encoder.HtmlEncode

EG Encoder.HtmlEncode(input)

WPL is still in CTP and can be downloaded from the MS site.

By rule, any input that is displayed to the user from an external source, for an example a share database has to go through the encode methods in the Encoder class and
any HTML that is displayed to the user composed form user inputs like query strings ot input fields need to be encoded before be show to the user and also these values have to encoded if they are persisted to in a data store.

ASP.NET by default supports input validation, by default this is enabled, and will not accept any malicious characters (like script and tags) from inputs, if they are present an exception is thrown.

WPL also comes with the Security Runtime Engine (SRE), this is a again a component that can be used to implicitly protect your application from XSS and SQ Injection attacks.

TO configure SRE, you can use the SRE configuration generator windows application.
You can point to an existing web.config file and add Encoded types, that is what types of controls needs to be encoded by SRE.

And that's it you are done, you application is protected from SQL injection and XSS.

Comments

Popular posts from this blog

Hosting WCF services on IIS or Windows Services?

There came one of those questions from the client whether to use II7 hosting or windows service hosting for WCF services. I tried recollecting a few points and thought of writing it down.
WCF applications can be hosted in 2 main ways- In a Windows service- On IIS 7 and aboveWhen WCF was first released, IIS 6 did not support hosting WCF applications that support Non-HTTP communication like Net.TCP or Net.MSMQ and developers had to rely on hosting these services on Windows Services.With the release of IIS 7, it was possible to deploy these Non-Http based applications also on IIS 7. Following are the benefits of using IIS 7 to host WCF applications
Less development effort
Hosting on Windows service, mandates the creating of a Windows service installer project on windows service and writing code to instantiate the service, whereas the service could just be hosted on IIS by creating an application on IIS, no further development is needed, just the service implementation is n…

Task based Asynchronous pattern, Async & Await and .NET 4.5

One of the key features in .Net 4.5 is to write asynchronous programs much easier. So if I was to write asynchronous programs in .Net 2.0/3.5, I would either follow the event based model or the callback based model. For an example, a synchronous method that does intensive work (say the DoWork()) can be made asynchronous by using the following patterns
1) Implementing the IAsyncResult pattern. in this implementation, 2 methods are exposed for the DoWork() synchronous method, the BeginDoWork() and the EndDoWork() method. The user will call the BeingDoWork() passing in the required parameters and a callback of the delegate type AsyncCallback(IAsyncResult). The BeginDoWork() will spawn a new thread a return control back to the user. Once work is completed in the spawned method, as a last step, it will call the inform the AsyncResult implementation, which in turns will call the EndDoWork() (which is the callback that was passed in to the BeginDoWork()).
2) Implementing the event pattern. Her…

MEF (Managed Extensibility Framework), .NET 4, Dependency Injection and Plug-in Development

Almost after .Net 4 was released I remember reading about MEF (Managed Extensibility Framework), this was a framework for developers to compose their application with required dependencies. At first this looks like the Unity Container used for dependency injection, but MEF is much more than a dependency container but there is nothing stopping you from using MEF as a dependency injector.I remember around 5 years back when I was in a project that created a framework that allows developers to plug-in there modules as WinForm screens. The developer would create a set of screens with the intended functionalities and the drop this component in the bin folder of the framework and then will move on to do some painful configurations for the framework to pick up the module. Dropping the component into the bin folder and doing a bit of configuration is all that s needed for the framework to pick up display the screens. Typically, the configurations would also contain metadata about the screen.Al…