Tuesday, November 21, 2006

V1.5 of Microsoft Anti-XSS Library Now Available

Microsoft has just released for download the latest version of its Anti-XSS Library on their MSDN web site.

Cross Site Scripting (XSS) continues to plague many web sites and is used by malicious users to get into web sites and application servers. User credentials can be stolen and then used to gain unauthorized access to a user's online bank account, for example, to drain funds, transfer accounts or create other financial havoc on the unsuspecting victim.

The approach to fighting XSS is equally as simple: validate and sanitize. A web developer should never trust ANY input from a user or a web site, even from hidden fields and less-obvious places like radio buttons and check boxes. Even these seemingly inocuous fields can contain application security land mines.

XSS is cross platform, meaning it's not just a Microsoft problem. But Microsoft's approach expands on the validate-and-sanitize approach with what it calls the "principle of inclusions." The application accepts valid input, meaning acceptable characters, but everything else is encrypted, blocking it from causing damage or malicious access.

Here are some other comments on the new library:

ACE Team blog

Channel 9 Forums

Kevin Lam's blog

The XSS-Proxy is a great web site devoted entirely to XSS, and I have links to other sites with XSS information on my web site. Click on Programming. There's sites listed in both the Programming and More Code sections.


Post a Comment

<< Home