XSS
There are 4 entries for the tag
XSS
So by now we should all know that using user input in a web page and spitting it back out again without encoding it is a bad idea and leads to cross site scripting. Of course some web sites don’t bother, which leads to hilarity such as the Toyota Ireland recall page, as demonstrated here. All the HTML encoding in the world won’t save you if you’re not constraining and validating your input … (although Toyota aren’t even bothering with encoding – you can embed script in the r parameter for that page) Technorati Tags: Input,Security,XSS
AntiXSS, the open source encoding library from the Microsoft Security Tools folks has gone live, and the binaries are available from the MS download centre. I’ve been recommending this for quite a while over the framework’s HttpEncode and UrlEncode simply because it offers more options (JavaScript, VBScript Xml Encoding) and has a visible test suite – plus if something does go wrong it’ll be easier to patch it quickly, rather than wait for a patched version of the .NET framework. There’s also a runtime module which will try to encode on the fly in case you forget to … ...
For the last copy of weeks I've been playing with the new version of Microsoft's AntiXSS package. AntiXSS provides more encoding methods and better implementations of the base HtmlEncode and UrlEncode that comes with the framework.
However there's something new this time around - the Security Runtime Engine. This is an HTTP module which will automatically provide encoding for your legacy apps and act as a second line of defence if you forget to encode your outputs.
It was released on codeplex last night; you can get v3 beta, installers and source from http://www.codeplex.com/AntiXSS - it's well work looking at, they've even...
The ACE Team at MS have thrown out a beta of XSSDetect, a static analysis tool plugin for VS2005 to, err, detect XSS vulnerabilities in your code. Interesting stuff; it’s a shame it doesn’t detect as you code or add errors into your compile time; which would better enforce good practice just as FXCop does; indeed the tool is part of a bigger internal suite; XSSDetect is a stripped down version of our enterprise ready Code Analysis Tool for .NET code bases (CAT.NET for short). CAT.NET adds such features as VSTF integration, centralized reporting using web services, customized rulesets...