Observations and insights from the Security PS Team.

Microsoft releases library to help mitigate cross-site scripting

Many web applications today exhibit security vulnerabilities due to the lack of proper input validation and output encoding. Though numerous development platforms exist, none have a foolproof way to provide complete protection from attacks such as parameter manipulation or cross-site scripting (XSS). Even modern and robust frameworks such as Microsoft .NET are no exception.

However, Web applications written with .NET, in a language such as C#, can utilize many new and interesting approaches to solving input and output vulnerabilities. The attribute validateRequest, for example, can force a .NET application to check for the existence of script-based attacks.

The validateRequest functionality checks for the presence of patterns containing an angle bracket and an alpha character. Under many circumstances, this will prevent a XSS attack. However, when values are written dynamically to HTML, angle brackets are not needed, and an exploit remains possible. Then there are times when developers may choose to disable validateRequest, in which case there is no default protection against XSS attacks.

To aid in mitigating these threats, Microsoft recently released a programming class to prevent XSS vulnerabilities. The Microsoft Anti-Cross Site Scripting Library performs transformations of certain special characters into their HTML entity equivalents, or URL encoded equivalents for items that need to be passed in the URL. For example, <, when run through the HTMLEncode() method will now be safely rendered by the browser as &60;, which is the hexadecimal form of the less-than sign.

Some scenarios will still permit XSS attacks. Developers should use the URLEncode() method to write information that will be sent via URL, such as links. It is therefore critical to apply this as another layer of data validation and encoding security and not use it as your only defense.

Programmers using .NET that wish to make use of this in their applications as an approach to defense-in-depth can obtain it for free from the Microsoft website.
    Blogger Comment
    Facebook Comment


Post a Comment