XSS Remedies Part I:
In the previous article I mentioned some Cross Site scripting problems and outlined some remedies. Here onwards I will explain the solutions in more detail.
Encoding the input data before displaying it as always a good practice. This was pretty easy and straightforward using the ASP.NET HTTPServerUtility.HTMLEncode Method. These methods convert dangerous symbols including HTML Tags, to there harmless HTML representation for e.g < becomes %lt
The problem with System.Web.HttpUtility.HtmlEncode however is that is based on a DENY-LIST approach, as a result it is only good against the following characters:
- chars with values 160-255 inclusive
The Microsoft ACE Team recently released an Anti Cross Site Scripting Library which on the other hand follows an Accept-only approach in which it looks for a finite set of valid input and everything else is considered invalid (All input is evil ‘eh). This approach hence provides a more comprehensive protection to XSS and reduce the ability to trick HttpUtility.HtmlEncode with canonical representations attacks.
The Anti-XSS lib exports just two functions and works much like HttpUtility.HtmlEncode:
Now all characters are encoded except for:
- a-z (lower case)
- A-Z (upper case)
- 0-9 (Numeric values)
- , (Comma)
- . (Period)
- _ (Underscore)
- - (dash)
- (Space)—Except for URLEncode
The Anti XSS Library is available here.
A Proof-Of-Concept sample code for lib usage can be found here.