Difference between revisions of ".NET AntiXSS Library"

From OWASP
Jump to: navigation, search
Line 11: Line 11:
 
***Using Microsoft AntiXSS as the default encoder in ASP.NET instructions (Phil Haack has a good link on this already:  http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/)
 
***Using Microsoft AntiXSS as the default encoder in ASP.NET instructions (Phil Haack has a good link on this already:  http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/)
 
*Microsoft Web Protection Library (WPL) - via http://wpl.codeplex.com/workitem/17246
 
*Microsoft Web Protection Library (WPL) - via http://wpl.codeplex.com/workitem/17246
 +
**there seem to be known issues with this library: http://blog.securityps.com/2012/12/alternatives-to-microsofts-wpl-sanitizer.html
 
*OWASP Anti-Samy Library (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET)
 
*OWASP Anti-Samy Library (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET)
 
**Not recently maintained (good option for to get it up to date and relevant!!!)
 
**Not recently maintained (good option for to get it up to date and relevant!!!)
Line 20: Line 21:
 
* See what other work has been done for XSS (both .NET and other technology stacks)
 
* See what other work has been done for XSS (both .NET and other technology stacks)
 
* Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat)  
 
* Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat)  
 +
* See if we can get the OWASP Anti-Samy project back into relevance
  
 
=== Future ===
 
=== Future ===

Revision as of 21:37, 14 April 2014

(NOTE:) This content is a work in progress and all contribution is welcome. Please contact Jeff Knutson (User:Jeff Knutson) with questions, ideas, corrections, etc.

Overview

Cross site scripting (XSS) continues to show up on the as a top vulnerability.

Options

TODO

Now

  • Look at the Microsoft implementations
  • See what work has already been done in the OWASP space for XSS
  • See what other work has been done for XSS (both .NET and other technology stacks)
  • Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat)
  • See if we can get the OWASP Anti-Samy project back into relevance

Future

  • Dream big here!