This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP AntiSamy Project .NET"

From OWASP
Jump to: navigation, search
(Running)
(Running)
Line 42: Line 42:
  
 
         AntiSamy _as = new AntiSamy();
 
         AntiSamy _as = new AntiSamy();
        Policy policy;
+
         string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
         string filename = null;
+
         Policy policy = Policy.getInstance(filename);
        filename = Server.MapPath("./properties/antisamy-slashdot.xml");
 
         policy = Policy.getInstance(filename);
 
 
         CleanResults results = _as.scan(txtInput.Text, policy);
 
         CleanResults results = _as.scan(txtInput.Text, policy);
 +
 +
And here is an example of using both the clean HTML and the error messages:
 +
 
         lblOutput.Text = results.getCleanHTML();
 
         lblOutput.Text = results.getCleanHTML();
 
         string s = "";
 
         string s = "";

Revision as of 06:10, 30 July 2008

Click here to return to OWASP Projects page.
Click here to see (& edit, if wanted) the template.


PROJECT IDENTIFICATION
Project Name OWASP AntiSamy .NET Project
Short Project Description This project is API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks.
Key Project Information Project Leader
Jerry Hoff
Project Contributors
Jason Li
J Irving
Arshan Dabirsiaghi

Mailing List
Subscribe here
Use here

License
New BSD License
Project Type
Tool
Sponsors
OWASP SoC 08
Release Status Main Links Related Projects

Release Quality
Please see here for complete information.

Owasp Anti-Samy Tool
A test site set up to bang on it

OWASP AntiSamy Project - Java


What is AntiSamy .NET?

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The OWASP licensing policy (further explained in the membership FAQ) allows OWASP projects to be released under any approved open source license. Under these guidelines, AntiSamy .NET is distributed under a BSD license.


Getting Started

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

  1. . Download AntiSamy from its home on Google Code
  2. . Choose one of the standard policy files that matches as close to the functionality you need:
  • . antisamy-slashdot.xml
  • . (more to come in the near future)
  1. . Tailor the policy file according to your site's rules
  2. . Call the API from the code

Downloading

Installing

Tailoring the policy file

Running

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

       AntiSamy _as = new AntiSamy();
       string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
       Policy policy = Policy.getInstance(filename);
       CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

       lblOutput.Text = results.getCleanHTML();
       string s = "";
       for (int i = 0; i < results.getErrorMessages().Count; i++)
       {
           s += results.getErrorMessages()[i].ToString() + "<p/>"; 
       }
       lblErrors.Text = s;

Contacting us

OWASP AntiSamy mailing list

Emailing the project lead

=== Issue tracking ===

This category currently contains no pages or media.