September 2010 Blog Posts
Get it while it’s hot. I’ll push the source to CodePlex tomorrow – my source VM is in a sorry state, so it’s rebuild time. Technorati Tags: AntiXSS
As I’m almost done the AntiXSS 4.0 release notes have been finalised; Minimum Requirements .NET Framework 3.5 Return Values If you pass a null as the value an encoding function the function will now return null. The previous behavior was to return String.Empty. Medium Trust Support The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and...
So late Friday two security researchers presented a side channel attack on the encryption and validation methods used on viewstate. This attack allows the attacker to derive the machine key used to encrypt viewstate and thus create their own signed viewstate, possibly compromising the web application. Side channel attacks work by analysing the response from the cryptosystem to infer information, in this case using the error responses from invalid padding. Now that the researchers have presented their work is under investigation; MSRC have an official advisory along with further information. ScottGu has also posted more details including a work around...