This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of ".NET AntiXSS Library"
From OWASP
Jeff Knutson (talk | contribs) |
Jeff Knutson (talk | contribs) |
||
| Line 11: | Line 11: | ||
***Using Microsoft AntiXSS as the default encoder in ASP.NET instructions (Phil Haack has a good link on this already: http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/) | ***Using Microsoft AntiXSS as the default encoder in ASP.NET instructions (Phil Haack has a good link on this already: http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/) | ||
*Microsoft Web Protection Library (WPL) - via http://wpl.codeplex.com/workitem/17246 | *Microsoft Web Protection Library (WPL) - via http://wpl.codeplex.com/workitem/17246 | ||
| + | **there seem to be known issues with this library: http://blog.securityps.com/2012/12/alternatives-to-microsofts-wpl-sanitizer.html | ||
*OWASP Anti-Samy Library (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET) | *OWASP Anti-Samy Library (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET) | ||
**Not recently maintained (good option for to get it up to date and relevant!!!) | **Not recently maintained (good option for to get it up to date and relevant!!!) | ||
| Line 20: | Line 21: | ||
* See what other work has been done for XSS (both .NET and other technology stacks) | * See what other work has been done for XSS (both .NET and other technology stacks) | ||
* Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat) | * Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat) | ||
| + | * See if we can get the OWASP Anti-Samy project back into relevance | ||
=== Future === | === Future === | ||
Revision as of 02:37, 15 April 2014
(NOTE:) This content is a work in progress and all contribution is welcome. Please contact Jeff Knutson (User:Jeff Knutson) with questions, ideas, corrections, etc.
Overview
Cross site scripting (XSS) continues to show up on the as a top vulnerability.
Options
- Microsoft AntiXSS Library
- Available in ASP.NET 4.5 in the System.Web.Security.AntiXss namespace
- Available prior to ASP.NET 4.5 via NuGet: (https://www.nuget.org/packages/AntiXSS/) Install-Package AntiXSS (currently v4.2.1 as of 4/12/2014)
- Using Microsoft AntiXSS as the default encoder in ASP.NET instructions (Phil Haack has a good link on this already: http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/)
- Microsoft Web Protection Library (WPL) - via http://wpl.codeplex.com/workitem/17246
- there seem to be known issues with this library: http://blog.securityps.com/2012/12/alternatives-to-microsofts-wpl-sanitizer.html
- OWASP Anti-Samy Library (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET)
- Not recently maintained (good option for to get it up to date and relevant!!!)
TODO
Now
- Look at the Microsoft implementations
- See what work has already been done in the OWASP space for XSS
- See what other work has been done for XSS (both .NET and other technology stacks)
- Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat)
- See if we can get the OWASP Anti-Samy project back into relevance
Future
- Dream big here!
