Click here to Skip to main content
12,760,187 members (33,387 online)
Click here to Skip to main content
Add your own
alternative version

Tagged as

Stats

30.9K views
9 bookmarked
Posted 28 Aug 2013

Anti-Cross Site Scripting Library (AntiXSS)

, 28 Aug 2013 CPOL
Rate this:
Please Sign up or sign in to vote.
Anti-cross site scripting library (AntiXSS)

Before understanding Anti-Cross Site Scripting Library (AntiXSS), let us understand Cross-Site Scripting(XSS).

Cross-site Scripting (XSS)

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

Cross-Site Scripting (XSS) attacks occur when:

  1. Data enters a Web application through an untrusted source, most frequently a web request.
  2. The data is included in dynamic content that is sent to a web user without being validated for malicious code.

The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.

Anti-Cross Site Scripting Library

AntiXSS helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine. AntiXSS incorporates radically and innovatively rethought features, offering you a newer, more powerful weapon against the often employed cross-site scripting (XSS) attack. AntiXSS gives you:

  • Improved Performance. AntiXSS has been completely rewritten with performance in mind, and yet retains the fundamental protection from XSS attacks that you have come to rely on for your applications.
  • Secure Globalization. The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
  • Standards Compliance. AntiXSS is written to comply with modern web standards. You can protect your web application without adversely affecting its UI.

How it works?

Proper output encoding and good input validation will fix the XSS issue. For output encoding, use AntiXSS Library for its comprehensive encoding capabilities. AntiXSS works by looking at all the characters in the input and encoding characters not in the whitelist.

XSS Vulnerability

Response.Write(Request.Params["input"]);

To prevent XSS, we need to use the below code (AntiXSS):

AntiXss.UrlEncode(TextBox1.Text)

AntiXss.HtmlAttributeEncode(TextBox1.Text)

AntiXss.XmlEncode(TextBox1.Text)

AntiXss.JavaScriptEncode(item)

You can download AntiXSS library from here.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

nageshwa
Team Leader
India India
M.C.A.
Working as a Technical Lead in a reputed company.
My Blog: http://mstechtips.blogspot.com

You may also be interested in...

Pro

Comments and Discussions

 
QuestionAntixss not sanitizing HTML Pin
Shyamyumnam20-Oct-16 20:09
memberShyamyumnam20-Oct-16 20:09 
QuestionYou can have AnitXss as your default encoder Pin
ednrg3-Sep-13 7:26
memberednrg3-Sep-13 7:26 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.170217.1 | Last Updated 29 Aug 2013
Article Copyright 2013 by nageshwa
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid