Microsoft released the Anti-Cross Site Scripting Library (AntiXSS) several years ago as a tool to help protect web applications from cross-site scripting attacks. It started out life as a relatively simple library that replaces some of the encoding features built into the .NET Framework, but has since grown to provide more web application security features.

As I’ve written before, cross-site scripting (XSS) attacks are one of the most insidious ways that an attacker can break an application. Like other injection attacks, such as SQL injection, XSS is hard to defend against because it requires careful vigilance when designing and developing every page in a website. Get sloppy on just one page, and your entire site could be lost to an attacker.

One of the best defenses against XSS is to carefully validate all untrusted inputs to the application from any source, including user input, databases, uploaded files, and any other inputs used in the site. Once you've done that, you can provide another strong layer of security by encoding all dynamic outputs that contain data from untrusted inputs. Encoding involves changing dangerous characters, such as angle brackets, to another form that can't be interpreted by a browser as command or control characters, such as their ASCII or Unicode forms.

Microsoft has provided a ValidateRequest attribute of the @Page directive since ASP.NET 2.0, which is set to True by default. With that setting, ASP.NET validates all input data and detects any dangerous input, throwing an HttpRequestValidationException. ValidateRequest is somewhat inflexible and limited, but any protection is better than none at all.

AntiXSS to Be Re-Released
Microsoft released the first version of AntiXSS back in 2006, and it has undergone a few revisions since then. And now they are on the verge of dropping the standalone AntiXSS and re-releasing it as a component of the new Microsoft Web Protection Library (WPL). Released by the Information Security Tools team at Microsoft, the initial release of the WPL includes two closely related components: an enhanced version of the original AntiXSS library and a Security Runtime Engine.

The AntiXSS library consists of an assembly with a set of encoding functions to any kind of user input, including HTML elements and attributes, XML, CSS, LDAP, and JavaScript. It uses a whitelist, newly expanded in the WPL, which causes the library to encode anything not included in the whitelist. They’ve rearranged the library so that everything is now under the Microsoft.Security.Application namespace instead of the older AntiXss namespace, which has been marked as deprecated but won’t break existing applications.

The Security Runtime Engine (SRE) is an HTTP module that can automatically encode almost all risky output. It inspects each control reflected by ASP.NET and encodes data for the properties of vulnerable controls, as appropriate, saving you the work of writing all the code to encode output to protect against XSS attacks. The SRE configuration tool has been redesigned and rebuilt from the ground up to provide a plug-in model that uses the Microsoft Extensibility Framework (MEF).



The main enhancements to AntiXSS include

• New Encoder and Sanitizer classes that provide encoding and sanitization features
• Expanded white list that supports more languages
• Performance improvements
• A new SQL Injection module to detect SQL queries in input data
• Support for Shift_JIS encoding for mobile browsers
• Redesigned configuration tool which provides easy editing of configuration files directly from within Visual Studio

AntiXSS also now supports secure globalization with support for dozens of languages. This will make the tools far more useful for sites with an international clientele.

Ultimately, the WPL will grow to include features to protect against a variety of web application attacks including cross-site request forgery (CRSF) and to enforce security settings such as SSL and HTTP_ONLY cookies. The latest version as of this writing is a May 2010 source-only release that is well worth spending time with. Microsoft bills this as an open source project, but it is open source only in the sense that they make the source code available. There isn’t any mechanism in place yet that I’ve found for community contributions. They have released the code under the relatively liberal Microsoft Public License (Ms-PL).

It is great that Microsoft is providing stronger security tools for web application security, but one concern I have is whether these tools are growing overly complex. The more complex they are, the harder they will probably be to use, which will turn off less security conscious developers from using them. Only time will tell if Microsoft makes the WPL accessible enough to developers.

You can learn more about the WPL and download the latest AntiXSS Library on the CodePlex Microsoft Web Protection Library page. It’s definitely a work in progress, but other than my concerns about complexity it is shaping up to be a nice set of security tools.

Don Kiely (donkiely@computer.org), MVP, MCSD, is a senior technology consultant, building custom applications and providing business and technology consulting services. His development work involves SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office.