This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of ".NET AntiXSS Library"
From OWASP
Jeff Knutson (talk | contribs) m |
m (→Options) |
||
| (6 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | '''NOTE''': This content is a work in progress and all contribution is welcome. Please contact [[User:Jeff Knutson|Jeff Knutson]] with questions, ideas, corrections, etc. | |
== Overview == | == Overview == | ||
| Line 5: | Line 5: | ||
Cross site scripting (XSS) continues to show up on the [[Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]] as a top vulnerability every year. While very pervasive and dangerous, this vulnerability is possible to mitigate with reasonable developer effort. This page is dedicated to helping mitigate this vulnerability in regards to the Microsoft .NET Framework. | Cross site scripting (XSS) continues to show up on the [[Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]] as a top vulnerability every year. While very pervasive and dangerous, this vulnerability is possible to mitigate with reasonable developer effort. This page is dedicated to helping mitigate this vulnerability in regards to the Microsoft .NET Framework. | ||
| − | == | + | == Attack Vectors == |
The primary XSS attack vectors are: | The primary XSS attack vectors are: | ||
* Reflected XSS | * Reflected XSS | ||
* Persistent XSS | * Persistent XSS | ||
| + | Please see [[Cross-site_Scripting_(XSS)#Stored and Reflected XSS Attacks|Cross-site Scripting (XSS)]] for more detail regarding reflected and persistent XSS attacks. | ||
== Options == | == Options == | ||
| Line 20: | Line 21: | ||
*OWASP Anti-Samy Library (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET) | *OWASP Anti-Samy Library (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET) | ||
**Not recently maintained (good option for to get it up to date and relevant!!!) | **Not recently maintained (good option for to get it up to date and relevant!!!) | ||
| + | * HtmlSanitizer | ||
| + | ** An open-source .Net library. | ||
| + | ** The HTML is cleaned with a white list approach. | ||
| + | ** All allowed tags and attributes can be configured. | ||
| + | ** The library is unit tested with the [https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet OWASP XSS Filter Evasion Cheat Sheet] | ||
| + | ** https://github.com/mganss/HtmlSanitizer | ||
== XSS References == | == XSS References == | ||
| + | * https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) | ||
* http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-2.html | * http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-2.html | ||
* http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html | * http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html | ||
* http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks (NOTE: This is a subscription course from PluralSight - I am not advocating any website or product, but found this to be useful and informative) | * http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks (NOTE: This is a subscription course from PluralSight - I am not advocating any website or product, but found this to be useful and informative) | ||
| − | *http://devproconnections.com/aspnet/microsoft-adds-antixss-tool-aspnet-45 | + | * http://devproconnections.com/aspnet/microsoft-adds-antixss-tool-aspnet-45 |
| + | * https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet | ||
| + | * [http://ha.ckers.org/xssAttacks.xml RSnake's XSS Cheatsheet] (in XML format; nice for programatic consumption!) | ||
| + | * http://lockmedown.com/preventing-xss-in-asp-net-made-easy (A comprehensive guide to cover the full web stack against XSS) | ||
* TODO add more references here -- Troy Hunt's material is excellent - I'm sure more people in the world have content which would be valuable here to reference... | * TODO add more references here -- Troy Hunt's material is excellent - I'm sure more people in the world have content which would be valuable here to reference... | ||
| Line 33: | Line 44: | ||
* See what work has already been done in the OWASP space for XSS | * See what work has already been done in the OWASP space for XSS | ||
* See what other work has been done for XSS (both .NET and other technology stacks) | * See what other work has been done for XSS (both .NET and other technology stacks) | ||
| − | * Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat) | + | * Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat.NET) |
* See if we can get the OWASP Anti-Samy project back into relevance | * See if we can get the OWASP Anti-Samy project back into relevance | ||
Latest revision as of 23:00, 2 March 2015
NOTE: This content is a work in progress and all contribution is welcome. Please contact Jeff Knutson with questions, ideas, corrections, etc.
Overview
Cross site scripting (XSS) continues to show up on the as a top vulnerability every year. While very pervasive and dangerous, this vulnerability is possible to mitigate with reasonable developer effort. This page is dedicated to helping mitigate this vulnerability in regards to the Microsoft .NET Framework.
Attack Vectors
The primary XSS attack vectors are:
- Reflected XSS
- Persistent XSS
Please see Cross-site Scripting (XSS) for more detail regarding reflected and persistent XSS attacks.
Options
- Microsoft AntiXSS Library
- Available in ASP.NET 4.5 in the System.Web.Security.AntiXss namespace
- Available prior to ASP.NET 4.5 via NuGet: (https://www.nuget.org/packages/AntiXSS/) Install-Package AntiXSS (currently v4.2.1 as of 4/12/2014)
- Using Microsoft AntiXSS as the default encoder in ASP.NET instructions (Phil Haack has a good link on this already: http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/)
- Microsoft Web Protection Library (WPL) - via http://wpl.codeplex.com/workitem/17246
- there seem to be known issues with this library: http://blog.securityps.com/2012/12/alternatives-to-microsofts-wpl-sanitizer.html
- OWASP Anti-Samy Library (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET)
- Not recently maintained (good option for to get it up to date and relevant!!!)
- HtmlSanitizer
- An open-source .Net library.
- The HTML is cleaned with a white list approach.
- All allowed tags and attributes can be configured.
- The library is unit tested with the OWASP XSS Filter Evasion Cheat Sheet
- https://github.com/mganss/HtmlSanitizer
XSS References
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-2.html
- http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html
- http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks (NOTE: This is a subscription course from PluralSight - I am not advocating any website or product, but found this to be useful and informative)
- http://devproconnections.com/aspnet/microsoft-adds-antixss-tool-aspnet-45
- https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
- RSnake's XSS Cheatsheet (in XML format; nice for programatic consumption!)
- http://lockmedown.com/preventing-xss-in-asp-net-made-easy (A comprehensive guide to cover the full web stack against XSS)
- TODO add more references here -- Troy Hunt's material is excellent - I'm sure more people in the world have content which would be valuable here to reference...
TODO
Now
- Look at the Microsoft implementations
- See what work has already been done in the OWASP space for XSS
- See what other work has been done for XSS (both .NET and other technology stacks)
- Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat.NET)
- See if we can get the OWASP Anti-Samy project back into relevance
Future
- Dream big here!
