Anti-Cross Site Scripting Library

Cross-site scripting (XSS) attacks exploit vulnerabilities in Web-based applications that fail to properly validate and/or encode input that is embedded in response data. Malicious users can then inject client-side script into response data causing the unsuspecting user's browser to execute the script code. The script code will appear to have originated from a trusted-site and may be able to bypass browser protection mechanisms such as security zones.

These attacks are platform and browser independent, and can allow malicious users to perform malicious actions such as gaining unauthorized access to client data like cookies or hijacking sessions entirely.

Simple steps that developers can take to prevent XSS attacks in their ASP.NET applications include:

• Validating and constraining input
• Encoding output

For defence in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The principle of inclusions approach provides a high degree of protection against XSS attacks and is suitable for Web applications with high security requirements.

Frequently Asked Questions

Q. I am currently using the .NET Framework System.Web.HttpUtility.HtmlEncode and other encoding methods in this class to encode output. Does the Microsoft Anti-Cross Site Scripting Library address a vulnerability in these methods? Are the encoding methods provided in the .NET Framework safe to use?

A. The encoding methods native to the .NET Framework are safe to use and no vulnerability is being addressed by this release of the Microsoft Anti-Cross Site Scripting Library. The Microsoft Anti-Cross Site Scripting Library differs from these methods in that it uses the principle of inclusions technique, which first defines a set of valid characters so that anything outside that set is automatically encoded.

Q. If the encoding methods in the .NET Framework are safe to use, why would I use the methods in the Anti-Cross Site Scripting Library instead?

A. The Anti-Cross Site Scripting Library uses the principle of inclusions technique to provide protection against XSS attacks that some regard as industry best practice. Both this library and the .NET Framework encoding methods are safe to use and provide good protection against XSS attacks. The Anti-Cross Site Scripting Library now provides you with the option to use an encoding library that follows the principle of inclusions school of thought.

Q. The ASP.NET server controls (like TextBox, BulletedList, and so on) use the existing encoding methods in the .NET Framework. Why should I use the methods in the Anti-Cross Site Scripting Library when my server controls use the methods from the .NET Framework? Is there any way to force the server controls to use the methods from the Anti-Cross Site Scripting Library?

A. There currently is no way to force existing server controls to use the Anti-Cross Site Scripting Library. ASP.NET server controls that encode using methods from the Anti-Cross Site Scripting Library will be provided in future releases of this library.

Q. Are there any additional resources I can read to learn how to protect my Web applications against XSS attacks?

A. Yes, please refer to the following resources from the patterns & practices teams:

Download

Microsoft Anti-Cross Site Scripting Library V1.5 Download

Tutorial

How to Use the Microsoft Anti-Cross Site Scripting Library V1.5 to Protect the Contoso Bookmark Page