In my previous article I explained about what is Cross Site Scripting (XSS) and how it affects the web application security. In this article we discuss about how to avoid the Cross Site Scripting or XSS by using Microsoft Anti Cross Site Scripting (XSS) library for .Net applications. Microsoft Anti Cross Site Scripting or Microsoft Anti XSS library is used to avoid the cross site scripting(XSS) for .Net applications by providing extra encoding methods.
Before going to discuss about usage of Microsoft Anti XSS library, first we have to download the latest Microsoft Anti Cross Site Scripting library from https://www.microsoft.com/en-us/download/details.aspx?id=28589. Install msi file, it installs the dlls’s in C:\Program Files (x86)\Microsoft Information Security\AntiXSS Library v4.2 folder.
Let’s take the previous article example only to discuss about Microsoft Anti XSS library. Open Microsoft Visual Studio 2015 and Create new Asp.Net Web Application and add WebForm1.aspx and Feedbacks.xml files from previous example project.
Right click on the solution and add Anti XSS dll AntiXSSLibrary.dll from C:\Program Files (x86)\Microsoft Information Security\AntiXSS Library v4.2\NET40 as shown below.
Import Microsoft.Security.Application namespace into the code and encode the name and feedback by using Encoder.JavaScriptEncode() method to avoid the javascript execution in the name and feedback sections as shown below.
using Microsoft.Security.Application;
using System;
using System.Data;
using System.Xml;
namespace XSSExample
{
public partial class WebForm1 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
Display();
}
}
protected void btnSave_Click(object sender, EventArgs e)
{
string sFile = Server.MapPath("Feedbacks.xml");
XmlDocument xdoc = new XmlDocument();
xdoc.Load(sFile);
XmlNode root = xdoc.DocumentElement;
XmlElement xelement = xdoc.CreateElement("Feedback");
XmlElement xName = xdoc.CreateElement("Name");
xName.InnerText = Encoder.JavaScriptEncode(txtName.Text);
xelement.AppendChild(xName);
XmlElement xFeedback = xdoc.CreateElement("Message");
xFeedback.InnerText = Encoder.JavaScriptEncode(txtFeedback.Text);
xelement.AppendChild(xFeedback);
root.AppendChild(xelement);
xdoc.Save(sFile);
Display();
}
private void Display()
{
try
{
DataSet ds = new DataSet();
ds.ReadXml(Server.MapPath("Feedbacks.xml"));
lvFeddbacks.DataSource = ds.Tables[0];
lvFeddbacks.DataBind();
}
catch(Exception ex)
{
}
}
}
}
Run the application and enter feedback as Good…<script>window.location.href='https://www.google.com'</script>. The listview displays the output as shown below.
As shown above the feedback message displaying with some special characters, it is because all javascript code encoded here.
Basically Microsoft Anti Cross Site Scripting Library provides extra encoding mechanism for basic encode methods. Not only JavaScriptEncode() method, we have many other methods which provides the encoding techniques for different type of content. Please find below for the list of methods provided by Microsoft Anti Cross Site Scripting (XSS) library.
Microsoft Anti XSS Encoding Method |
Usage |
JavaScriptEncode |
To encode the untrusted JavaScript content |
HtmlEncode |
To encode the untrusted HTML content |
HtmlAttributeEncode |
To encode the untrusted html attributes like id, name, width, height, style…etc. |
XmlEncode |
To encode the untrusted XML content |
XmlAttributeEncode |
To encode the untrusted XML attribute data |
UrlEncode |
To encode the untrusted URL |
VisualBasicScriptEncode |
To encode the untrusted data used within the VB Script. |
CssEncode |
To encode the untrusted CSS content. |
HtmlFormUrlEncode |
To encode the untrusted HTML form url. |
LdapEncode |
To encode the untrusted LDAP content |
LdapFilterEncode |
To encode the untrusted LDAP filter |
UrlPathEncode |
To encode the untrusted URL Path data |
In future articles we will discuss more about Microsoft Anti XSS library and other security methods.