Difference between revisions of ".NET AntiXSS Library"

From OWASP
Jump to: navigation, search
m
Line 25: Line 25:
 
* http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html
 
* http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html
 
* http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks (NOTE: This is a subscription course from PluralSight - I am not advocating any website or product, but found this to be useful and informative)
 
* http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks (NOTE: This is a subscription course from PluralSight - I am not advocating any website or product, but found this to be useful and informative)
 +
*http://devproconnections.com/aspnet/microsoft-adds-antixss-tool-aspnet-45
 
* TODO add more references here -- Troy Hunt's material is excellent - I'm sure more people in the world have content which would be valuable here to reference...
 
* TODO add more references here -- Troy Hunt's material is excellent - I'm sure more people in the world have content which would be valuable here to reference...
  

Revision as of 22:32, 14 April 2014

(NOTE:) This content is a work in progress and all contribution is welcome. Please contact Jeff Knutson (User:Jeff Knutson) with questions, ideas, corrections, etc.

Overview

Cross site scripting (XSS) continues to show up on the as a top vulnerability every year. While very pervasive and dangerous, this vulnerability is possible to mitigate with reasonable developer effort. This page is dedicated to helping mitigate this vulnerability in regards to the Microsoft .NET Framework.

Challenges

The primary XSS attack vectors are:

  • Reflected XSS
  • Persistent XSS

Options

XSS References

TODO

Now

  • Look at the Microsoft implementations
  • See what work has already been done in the OWASP space for XSS
  • See what other work has been done for XSS (both .NET and other technology stacks)
  • Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat)
  • See if we can get the OWASP Anti-Samy project back into relevance

Future

  • Dream big here!