Thursday, April 29, 2010

Web Protection Library and XSS attacks

I started using the AntiXSS library that comes with the Microsoft Web Protection Library (WPL), this library gives you several APIs that can be used to protect your application from Cross Site Scripting (XSS).

So, What is an XSS attack?, this is where a malicious user injects scripts into the web page the user is viewing and the script runs as part of the response from compromised web site.

As a simple example, lets say a malicious user enters a comment on a blog post, with the comment he also appends a script that runs for 1000 times where a alert box is displayed.
Now every time a user views the comment section of the particular post, the script would execute.

An extream scenario would be where a user enter a script in the comment box where the script passes on the session id or a cookie of the logged in user to the hacker's web site.

In not these cases, if the input of the comment text box was scanned for any malicious code before saving it to a data source.

WPL supports APIs that will encode inputs and sanitize malicious code.

TO demonstrate how it is easy to use this library, all you have to do is to add a reference to the AntiXSS library and in the Microsoft.Security.Application namespace
you will get a Class called Encoder, this class has several static methods.

One of these methods is Encoder.HtmlEncode

EG Encoder.HtmlEncode(input)

WPL is still in CTP and can be downloaded from the MS site.

By rule, any input that is displayed to the user from an external source, for an example a share database has to go through the encode methods in the Encoder class and
any HTML that is displayed to the user composed form user inputs like query strings ot input fields need to be encoded before be show to the user and also these values have to encoded if they are persisted to in a data store.

ASP.NET by default supports input validation, by default this is enabled, and will not accept any malicious characters (like script and tags) from inputs, if they are present an exception is thrown.

WPL also comes with the Security Runtime Engine (SRE), this is a again a component that can be used to implicitly protect your application from XSS and SQ Injection attacks.

TO configure SRE, you can use the SRE configuration generator windows application.
You can point to an existing web.config file and add Encoded types, that is what types of controls needs to be encoded by SRE.

And that's it you are done, you application is protected from SQL injection and XSS.

No comments:

Post a Comment