Secure Code With The Microsoft Anti-Cross Site Scripting Library

Recently I attended a Security Development Lifecycle training course in Dallas, Texas and I must admit while I was aware of many vulnerabilities in web applications, I learned just how easy it is to do some real damage if software engineers don’t fully understand the implications they face when developing a web application. In fact, while I was researching statistics on this topic I ran across a statistic that stated applications today contain more security flaws themselves than the operating system that they run on. Now stop and think about this for a moment. Typically companies do everything in their power to patch the operating system, stand up firewalls, and generally control access. If a web application for example does not account for security unauthorized individuals many gain access or worst case scenario steal data that can be detrimental to a company should it fall into the wrong hands. Here are three areas that I believe you should focus on to get you started.

  1. Validate input: Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities.
  2. Enforce security policies: Create software architecture and design your software to implement and enforce these security policies.
  3. Enforce a secure coding standard: Develop a secure coding standard for your target development language and platform. Then ensure your team implements this standard.

Microsoft has really done a great job in the area of assisting software developers in the area of writing secure code in recent years and they obviously have been listening to the developer community. The Anti-Cross Site Scripting Library V3.1 is a wonderful product that any company or individual can easily incorporate into the development process to prevent cross site scripting which is a highly exploited aspect of web applications.

If you’re not familiar with Cross-Site Scripting (XSS) here is how Wikipedia defines this term: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigation implemented by the site’s owner.

So what is The Microsoft Anti-Cross Site Scripting Library V3.1 (Anti-XSS V3.1) exactly? It is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique sometimes referred to as the principle of inclusions to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include:

  • An expanded white list that supports more languages
  • Performance improvements
  • Performance data sheets (in the online help)
  • Support for Shift_JIS encoding for mobile browsers
  • Security Runtime Engine (SRE) HTTP module
  • HTML Sanitization methods to strip dangerous HTML scripts

Once you have downloaded and installed this product all you need to to do is configure your application to employ this security product and you all set. For example the following demonstrates encoding the end user input:

protected void Button1_Click(object sender, EventArgs e)
{
// Read input
String Input = TextBox1.Text;

// Process input
...

// Encode untrusted input and write output
Response.Write(”The input you gave was” + Microsoft.Security.Application.AntiXss.HtmlEncode(Input));
}

You may be asking yourself is it really as simple as this? Well yes and no. XSS is just one aspect of vulnerabilities and if you recall from the 2007 Symantec Study 80% of weakness were found to be in cross site scripting attacks. I am not sure what the percentage is today but I can only assume that it is still high based upon the applications I have personally seen first hand. In fact , the OWASP Top Ten ranks XSS as the number two vulnerability second only to injection attacks.

  1. Injection
  2. Cross-Site Scripting (XSS)
  3. Broken Authentication and Session Management
  4. Insecure Direct Object References
  5. Cross-Site Request Forgery (CSRF)
  6. Security Misconfiguration
  7. Insecure Cryptographic Storage
  8. Failure to Restrict URL Access
  9. Insufficient Transport Layer Protection
  10. Unvalidated Redirects and Forwards

Leave a Reply

Required fields are marked *.