How do I use AntiXSS?

Microsoft AntiXSS Library

Collapse imageExpand ImageCopy imageCopyHover image

In this tutorial, I'll show you how the Microsoft Anti-Cross Site Scripting Library can be used to protect users from Cross-Site Scripting (XSS) attacks. I'll also show you an easy method for assessing use case scenarios for potential XSS vectors using nothing more than a simple table.

Note Cross-site scripting (XSS) attacks exploit vulnerabilities in Web-based applications that fail to properly validate and/or encode input that is embedded in response data. Malicious users can then inject client-side script into response data causing the unsuspecting user's browser to execute the script code. The script code will appear to have originated from a trusted site and may be able to bypass browser protection mechanisms such as security zones. In addition certain server side queries such as LDAP look-ups can be injected in much the same way as SQL queries can be injected, changing the result of the query.

These attacks are platform and browser independent, and can allow malicious users to perform undesired actions such as gaining unauthorized access to client data like cookies or hijacking sessions entirely.

If you want more information on XSS attacks, including instructions on how to test for it, some good references are

Protecting an application.

To protect an application from XSS attacks we first need to understand the vectors that malicious users can use to conduct such attacks. Ideally, we should have done this at design time using threat modelling; however, we can still do this on applications that have already been implemented using the following steps:

  1. Review code which produces output.

  2. Determine whether output includes untrusted input parameters.

  3. Determine the context in which untrusted input is used as output.

  4. Encode the output appropriately.

If you aren't sure if input is trusted or not always err on the side of caution and assume it is not. Examples of common untrusted input include

  • Form fields

  • Query strings

  • Cookie contents

  • HTTP Headers

Which encoder should I use?

Once you have found code which outputs to the user you need to determine if the input is trusted or untrusted. Once you have decided the input is untrusted you determine which encoding method needs to be used to make the input safe. The following table will be helpful in determining which encoding method you must use.

Encoding Method

Should be used when ...

Example

HtmlEncode

Untrusted input is used in HTML output except when assigning to an HTML attribute.

<p>Hello [Untrusted Input]</p>

HtmlAttributeEncode

Untrusted input is used in HTML attributes.

<p> id="[Untrusted Input]"< /p>

XmlEncode

Untrusted input is used in XML output except when assigning to an XML attribute.

<name>[Untrusted Input]</name>

XmlAttributeEncode

Untrusted input is used in XML attributes.

<name> firstName="[Untrusted Input]"< /name>

UrlEncode

Untrusted input is used as a query string value in a URL.

<a href="http://search.bing.com/search?q=[Untrusted-input]">Click Here!</a>

UrlPathEncode

Untrusted input is used as part of a path a URL.

<a href="http://msdn.microsoft.com/[Untrusted-input]/">Click Here!</a>

JavaScriptEncode

Untrusted input is used within a JavaScript context.

<script> var something = "[UntrustedInput]";<script>

Other encoder methods includ HtmlFormUrlEncode which is used when, in code, you are building an HTTP POST request to submit to a web site and LdapDistinguishedNameEncode and LdapFilterEncode which encode untrusted input for safe use when building filters or queries against an LDAP database.

Using AntiXSS

Now that you've determined which scenarios require encoding, all that is left to do is add the Microsoft Anti-Cross Site Scripting Library to your project and encode the untrusted input as it is embedded in response data. After you've installed the library you need to add a reference into your project. To do this use the following steps:

  1. Right click the project in the Solution Explorer Window in Visual Studio.

  2. Select the Add Reference ... option from the context menu.

  3. Select the browse tab and select the installation directory, then add the AntiXSSLibrary.dll appropriate for the .NET framework version you are using.

If you have not changed the install directory the library will be in C:\Program Files\Microsoft Information Security\AntiXSS Library v4.2 (32bit OSes) or C:\Program Files (x86)\Microsoft Information Security\AntiXSS Library v4.2 (64bit OSes). This folder will contain 3 directories, one for each version of the .NET framework AntiXSS supports.

Once you've added the reference to the library you will need to adjust your code to use the appropriate encoder. To do this open the files which contain code that writes output then

  1. Add a using directive; using Microsoft.Security.Application;

  2. Change the code which assigns output, for example

    string Name = Request.QueryString["Name"];

    would become

    string Name = Encoder.HtmlEncode(Request.QueryString["Name"]);

Now rebuild your web application and for XSS.

See Also: