Microsoft AntiXSS Library |
How do I use AntiXSS? |
In this tutorial, I'll show you how the Microsoft Anti-Cross Site Scripting Library can be used to protect users from Cross-Site Scripting (XSS) attacks. I'll also show you an easy method for assessing use case scenarios for potential XSS vectors using nothing more than a simple table.
Note Cross-site scripting (XSS) attacks exploit vulnerabilities in Web-based applications that fail to properly validate and/or encode input that is embedded in response data. Malicious users can then inject client-side script into response data causing the unsuspecting user's browser to execute the script code. The script code will appear to have originated from a trusted site and may be able to bypass browser protection mechanisms such as security zones. In addition certain server side queries such as LDAP look-ups can be injected in much the same way as SQL queries can be injected, changing the result of the query.
These attacks are platform and browser independent, and can allow malicious users to perform undesired actions such as gaining unauthorized access to client data like cookies or hijacking sessions entirely.
If you want more information on XSS attacks, including instructions on how to test for it, some good references are
Protecting an application.
To protect an application from XSS attacks we first need to understand the vectors that malicious users can use to conduct such attacks. Ideally, we should have done this at design time using threat modelling; however, we can still do this on applications that have already been implemented using the following steps:
Review code which produces output.
Determine whether output includes untrusted input parameters.
Determine the context in which untrusted input is used as output.
Encode the output appropriately.
If you aren't sure if input is trusted or not always err on the side of caution and assume it is not. Examples of common untrusted input include
Form fields
Query strings
Cookie contents
HTTP Headers
Which encoder should I use?
Once you have found code which outputs to the user you need to determine if the input is trusted or untrusted. Once you have decided the input is untrusted you determine which encoding method needs to be used to make the input safe. The following table will be helpful in determining which encoding method you must use.
Encoding Method | Should be used when ... | Example |
---|---|---|
HtmlEncode | Untrusted input is used in HTML output except when assigning to an HTML attribute. | <p>Hello [Untrusted Input]</p> |
HtmlAttributeEncode | Untrusted input is used in HTML attributes. | <p> id="[Untrusted Input]"< /p> |
XmlEncode | Untrusted input is used in XML output except when assigning to an XML attribute. | <name>[Untrusted Input]</name> |
XmlAttributeEncode | Untrusted input is used in XML attributes. | <name> firstName="[Untrusted Input]"< /name> |
UrlEncode | Untrusted input is used as a query string value in a URL. | <a href="http://search.bing.com/search?q=[Untrusted-input]">Click Here!</a> |
UrlPathEncode | Untrusted input is used as part of a path a URL. | <a href="http://msdn.microsoft.com/[Untrusted-input]/">Click Here!</a> |
JavaScriptEncode | Untrusted input is used within a JavaScript context. | <script> var something = "[UntrustedInput]";<script> |
Other encoder methods includ HtmlFormUrlEncode which is used when, in code, you are building an HTTP POST request to submit to a web site and LdapDistinguishedNameEncode and LdapFilterEncode which encode untrusted input for safe use when building filters or queries against an LDAP database.
Using AntiXSS
Now that you've determined which scenarios require encoding, all that is left to do is add the Microsoft Anti-Cross Site Scripting Library to your project and encode the untrusted input as it is embedded in response data. After you've installed the library you need to add a reference into your project. To do this use the following steps:
Right click the project in the Solution Explorer Window in Visual Studio.
Select the Add Reference ... option from the context menu.
Select the browse tab and select the installation directory, then add the AntiXSSLibrary.dll appropriate for the .NET framework version you are using.
If you have not changed the install directory the library will be in C:\Program Files\Microsoft Information Security\AntiXSS Library v4.2 (32bit OSes) or C:\Program Files (x86)\Microsoft Information Security\AntiXSS Library v4.2 (64bit OSes). This folder will contain 3 directories, one for each version of the .NET framework AntiXSS supports.
Once you've added the reference to the library you will need to adjust your code to use the appropriate encoder. To do this open the files which contain code that writes output then
Add a using directive; using Microsoft.Security.Application;
Change the code which assigns output, for example
string Name = Request.QueryString["Name"];
would become
string Name = Encoder.HtmlEncode(Request.QueryString["Name"]);
Now rebuild your web application and for XSS.