Microsoft Security Library – AntiXss Library

Microsoft provides an API to avoid cross site scripting and enable security for the online web applications and websites. It’s a common problem in the external facing websites and highly vulnerable for hacking.There are other key elements to improve the security with network protection, Web application firewall (WAF) etc, but it’s also equally important to provide the required protection through design and coding.

Anti XSS Library

Microsoft recommends to use Anti-XSS library to protect web sites from any malicious attacks. The library provides the following key methods to encode the request parameters.

-      AntiXss.HtmlEncode() : Converts the HTML symbols (< , > ) to equivalent HTML codes (&lt; , &gt;), so that they don’t get executed in the browser.

-     AntiXss.UrlEncode(): Encodes the special characters in the URL.

-      Sanitizer.GetSafeHTMLFragement(): Strips all the script and HTML tags and returns only the string.

Example:

string actualstring = “<b>hello</b> world <br/><script>alert(‘hi’)</script>”;
Response.Write(actualstring);
Response.Write(“HtmlEncode: ” + AntiXss.HtmlEncode(actualstring) + “<br/>”);
Response.Write(“UrlEncode:” + AntiXss.UrlEncode(actualstring) + “<br/>”);
Response.Write(“Sanitizer: ” + Sanitizer.GetSafeHtmlFragment(actualstring));

Output:

hello world
HtmlEncode: <b>hello</b> world <br/><script>alert(‘hi’)</script>
UrlEncode:%3cb%3ehello%3c%2fb%3e%20world%20%3cbr%2f%3e%3cscript%3ealert%28%27hi%27%29%3c%2fscript%3e
Sanitizer: hello world

The possible request parameters in the CMS websites are Query String, URL Path, Input text boxes and Cookie. So these input parameters should be encoded using the above methods.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s