Anti-Cross Site Scripting Library (RETIRED)

quick question on Anti xss library

2010-06-01T13:54:15.623-04:00

Hi all,

Can anybody please tell or guide me on whether we can use Anti XSS library 3.1 on ASP applications?.

Please point me to an article if you know of something.

Thanks for any help,

Kumar Pindiprolu.

</div>

Whitelist/Blacklist

2010-05-07T00:18:56.87-04:00

It says that the library has an ability to specify whilist/blacklist tags in its description, however there are no examples and I couldn't find anything like that in dll file.

using Antixss dll in VS 2005

2010-02-01T11:39:54.59-05:00

Hi,

I want to use the AntiXSS library dll in my project. I downloaded the AntiXSS library.

But when i try to add the reference, I am not able to find the dll. I am also not getting the Microsoft.security.

What am i missing? How to add the Antixss library in the reference.

Thank you

checking cross site scripting in javascript

2010-02-01T11:37:17.963-05:00

Hi,

I have the following lines of code in my javascript.

function test()
{
 var Frameobj=document.getElementById('Frame1');
  

   if(((Frameobj != null) && (Frameobj != "") && (Frameobj != "undefined")))
   {
        Frameobj.src=window.location.toString().substr(0,window.location.toString().lastIndexOf('/')) + '/Names.aspx';
   }
}

How to check the cross site scripting for the above lines?

Thank you.

Adding AntiXSS to an existing project

2010-01-09T22:45:38.12-05:00

Hi,

I'm nearing the end of my project and have been using HTML Enconding and URL Encoding to sanitize my input. However, I've just come across Microsoft's AntiXSS library and found that it could be quite useful. However, I don't want to restart my project (in terms of sanitization). Does anyone have any experience on retrospectively adding AntiXSS to an existing ASP.NET web app? Is it quite a straightforward process of replacing any HTML ecoding with the AntiXSS namespace? If so, I plan to implement the AntiXSS after production has gone live (Due to time constraints).

Thanks

SQL Injection with AntiXss

2009-12-02T19:41:46.66-05:00

Hi all,

I'm new with the AntiXss.

Can someone tell me which function in AntiXss I can use to prevent SQL injection?

Thanks

Microsoft Anti-Cross Site Scripting Library V1.5 taking longer to load first time in app

2009-11-18T00:07:42.78-05:00

Hi All,

We are using Microsoft Anti-Cross Site Scripting Library V1.5 dll for encoding the few character in the cookie values, and recently we observed one perfromance issue while loading the first page of application. I further analysed each line of code to get the exact root cause of delay (almost 15 sec), and came to conclusion that the method (AntiXss.UrlEncode(Title) invoked from one of the wrapper component of application is executing as expected, however the wrapper component API is taking almost 15 sec to start executing this method.

Further again I directly inlcuded AntiXss.UrlEncode(Title) method in code, but again I observed wherever I have reference of this AntiXss Library dll reference and the first hit to that code is taking 15 sec, additioanaly this only happens at the first time after IIS Restart, further calls works as expected.

I am going to try replaceing the new 3.0 version of AntiXss Library, but wanted to know the root cause of this issue if any one have faced this before.

Thanks!!

GET and POST Interchangeable

2009-11-11T11:21:53.82-05:00

Hi,

My web application runs on IIS7 and Windows Server 2008. Right now, we are facing an issue where the application was found to accept parameters using the GET and POST HTTP Methods interchangeably. This provides 2 distinct methods for providing input to the application and can make certain attacks more viable.

For example, if an attacker found a POST parameter which was vulnerable to cross site scripting(XSS), and GET and POST requests were interchangeable, the XSS attack could be performed via GET instead, allowing them to create a URL to send to potential victims.

I would be glad if someone could help me to resolve this issue.

Regards,

Sunitha

Use of AntiXss with Infragistics Controls

2009-11-06T06:27:26.637-05:00

We have an application which was developed with infragistic controls. Right now we are planning to apply security to it, we need to stop the cross-site scripting (XSS). Since this particular application has many screens and, we dont want to go and touch each and every screen we planned to use AntiXSS security runtime engine, by configuring the controls to its antixssmodule.config file.

1) Infragistics WebTextEdit control is working fine, but we have trouble with couple of controls i.e. in the Infragistics UltraWebGrid & WebCombo. Please suggest what can be done?

Below is the code which has been configured in the antixssmodule.config file. This has been added along with the WebControls list.

2) There is another problem on configuring AntiXss module with the application. There are couple of the screens where a default value has been selected in the ListBox control.

Now the problem here is... this value is not being selected by default.

Using Infragistics 7.1 Vol 1(2007) controls.

Visual studio 2005.

Thanks,

Raghu

AntiXSS module error: "Cannot get inner content of because the contents are not literal."

2009-09-22T07:13:26.127-04:00

Can someone please explain why this error occurs if one uses the AntiXSS module and how to avoiud it?

Thank you very much.

TargetInvocationException: Exception has been thrown by the target of an invocation. --->System.Web.HttpException: Cannot get inner content of because the contents are not literal.
at System.Web.UI.HtmlControls.HtmlContainerControl.get_InnerHtml()
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Reflection.RuntimePropertyInfo.GetValue(Object obj, BindingFlags invokeAttr, Binder binder, Object[] index, CultureInfo culture)
at System.Reflection.RuntimePropertyInfo.GetValue(Object obj, Object[] index)
at Microsoft.Security.Application.SecurityRuntimeEngine.PageProtection.XssProtection.EncodeControl(Control control, String type)
at Microsoft.Security.Application.SecurityRuntimeEngine.PageProtection.XssProtection.FindAndEncodeControls(Page p, ControlCollection cc)
at Microsoft.Security.Application.SecurityRuntimeEngine.PageProtection.XssProtection.FindAndEncodeControls(Page p, ControlCollection cc)
at Microsoft.Security.Application.SecurityRuntimeEngine.PageProtection.XssProtection.EncodePage(Page p)
at Microsoft.Security.Application.SecurityRuntimeEngine.PageProtection.XssProtection.page_PreRender(Object sender, EventArgs e)
at System.EventHandler.Invoke(Object sender, EventArgs e)
at System.Web.UI.Control.OnPreRender(EventArgs e)
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

</div>

Encoding and XSS in general

2009-09-03T19:17:20.62-04:00

1. Can someone explan how encoding helps with XSS? For example, I have a dropdown with 100 values and the user chooses number 50. So are all values encoded then? Can't the attacker do his own encoding and put it back into the dropdown? Please elaborate.

2. Can one use this library for non-ASP.NET webform application, can you use it for a custom MVC framework with custom views built on top of ASP.NET? Basically not using asp.net controls

How to use JavaSrciptEncode in web page

2009-06-30T08:41:43.42-04:00

I am trying to use AntiXss methods in my application. Can anybody provide me some example how to use JavascriptEncode method in a page and at which scenarios it should be used.

Microsoft Anti-Cross Site library 3.0

2009-06-17T10:15:02.33-04:00

Till date there is a BETA version of the Microsoft Anti-Cross Site library 3.0 available. Any idea when Microsoft team is going to release the final version of this library?

We were planning to use this in one of our production site. However, since this library is still in BETA stage, product management thinks its a risk.

We thought of using the Anti-Cross Site library 1.5, however its license does not allow us to use in the hosted web site. Excerpts from the license of 1.5 are :

1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices to design, develop and test your programs.
2. SCOPE OF LICENSE. .... You may not: .... use the software for commercial software hosting services....

Protection Required : What are 1 to 5 steps ???

2009-05-01T18:16:23.23-04:00

I undertstand to filter HTML going from editor to SQL server varchar(max) and back to browser is a challenge.

I have read about
1) Regex
2) Anti cross scripting library v1.5
3) HTMLencode
4) Page validation = false
5) Common data

I have asp.net (VB) 2.0 project that allows HTML from an Editor (freetextbox, and obout editor) into SQL server 2005 varchar(max) field, and then its returned back to the browser via user actions.

The $64000 dollar questions
1) How to make sure HTML going in from editor is not dangerous
2) How do I make sure that my CSS is not altered
3) How do I stop unwanted scripts (java and vbscripts

It seams to me all I want is the same functionality that this forum has posting its posts, or whatever WordPress and other blog systems are using when HTML is posted from editors in there software ?

What are steps. Simple please, what functions do I use, any examples in detail in either C# or VB. Why isnt there a one stop package that does it all.

I require server side filtering

Links read
http://msdn.microsoft.com/en-us/library/aa973813.aspx
http://wiki.flux-cms.org/display/BLOG/XSS+Prevention

Using AntiXss with TagMapping

2009-03-05T22:46:28.277-05:00

Hi,

I'm using the AntiXss library in conjunction with TagMapping to remap all textbox and label control data is automatically run through the AntiXss library. When users enter data in a WYSIWYG editor, the data is stored in the database in encoded format in the database.

When it's displayed in the browser, all html is displayed, including <p> tags, etc. How can I exclude specific tags from being encoded like that?

Using AntiXss?

2009-01-27T23:01:24.257-05:00

Hello,

Could someone please help me to understand if (and how!) I can use AntiXss to filter out Xss in those 2 cases:

1. CommandArguement:

<asp:LinkButton id="LinkButton1" CssClass="Button" runat="server" CommandArgument='<%# DataBinder.Eval(Container.DataItem,"UserName") %>'><%# DataBinder.Eval(Container.DataItem,"UserName") %></asp:LinkButton>

What method out of the library can I use to make sure no unwanted code injected into the Command Argument ?

2. Image Source

What method out of the library can help me to make sure no javascript gets into the source of an image?

Thank you

Microsoft.Security namespace does not appear

2009-03-02T07:17:50.77-05:00

Hi,

I want to use Anti-Cross Site Scripting Library V3.0 but I am not able to use it in my application...

I installed AntiXSSV30Beta.msi also...

Do i need to something more with Framework?

Problem with AttributeEncoding href

2009-02-05T11:02:56.313-05:00

Hi, am i missing something but why does the following alert hello when clicking on test:

Appreciate your help. Thanks

AntiXss Requiring Internet Access?

2007-11-07T17:52:29.227-05:00

We have a custom class that inherits from AntiXss and anytime a method is called, we have noticed that it is attempting to make a request out to 131.107.115.28 over port 80. We operate in a highly controlled environment, and most of our servers (web included) only have specific outbound access.

Has anyone else noticed this issue? Is there a way to circumvent the outbound call? What exactly is it attempting to do?

Thanks in advance,

Sam

Preventing my site from cross scripting

2009-01-12T13:25:47.207-05:00

Hi,

I found that my site which is deployed is vulnerable to XSS scripting.Whenever i try to inject some script from the url through address bar like for example

http://localhost/mysamplesite/default.mspx/"/alert(1)/"

http://localhost/mysamplesite/default.mspx?fp="<script>alert(1)</script>"

it is firing an alert.Can anyone plzz guide me how to prevent this,what i need is anything typed in the url if at all a malicious content should just be bypassed.

And also plzz let me know more ways how a user can inject script through URL.

Thanks.

santosh