Difference between revisions of ".NET AntiXSS Library"

From OWASP
Jump to: navigation, search
(Created page with "(NOTE:) This content is a work in progress and all contribution is welcome. Please contact Jeff Knutson (User:Jeff Knutson) with questions, ideas, corrections, etc. == P...")
 
Line 4: Line 4:
  
 
Cross site scripting (XSS) continues to show up on the [[Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]] as a top vulnerability.   
 
Cross site scripting (XSS) continues to show up on the [[Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]] as a top vulnerability.   
 
=== .NET specific concerns ===
 
 
-TODO ASP.NET 4.5 built in support for AntiXSS
 
-TODO the AntiXSS project
 
 
      
 
      
 
+
== Options ==
== Using as the default encoder in ASP.NET instructions ==
+
*Microsoft AntiXSS Library
TODO: Phil Haack has a good link on this already:  http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/
+
**Available in ASP.NET 4.5 in the System.Web.Security.AntiXss namespace
     
+
**Available prior to ASP.NET 4.5 via NuGet: (https://www.nuget.org/packages/AntiXSS/)  Install-Package AntiXSS (currently v4.2.1 as of 4/12/2014)
 +
***Using Microsoft AntiXSS as the default encoder in ASP.NET instructions (Phil Haack has a good link on this already:  http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/)
 +
*Microsoft Web Protection Library (WPL) - via http://wpl.codeplex.com/workitem/17246
 +
*OWASP Anti-Samy Library (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET)
 +
**Not recently maintained (good option for to get it up to date and relevant!!!)
  
 
== TODO ==
 
== TODO ==

Revision as of 21:28, 14 April 2014

(NOTE:) This content is a work in progress and all contribution is welcome. Please contact Jeff Knutson (User:Jeff Knutson) with questions, ideas, corrections, etc.

Problem Overview

Cross site scripting (XSS) continues to show up on the as a top vulnerability.

Options

TODO

Now

  • Look at the Microsoft implementations
  • See what work has already been done in the OWASP space for XSS
  • See what other work has been done for XSS (both .NET and other technology stacks)
  • Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat)

Future

  • Dream big here!