0

Been reading up on various injection-type attacks, and it seems like the best way to get rid of these vulnurabilities is to encode all user input to remove / replace some characters with others (< > ; etc).

What's my best bet here? Are there any nice libraries out there to aid me with this? Or something that could help me spot potential vulnurabilities? - Or are regular expressions my best bet? :)

Thanks a lot

cwap
  • 11,087
  • 8
  • 47
  • 61
  • Dupe of :http://stackoverflow.com/questions/188870/how-to-use-c-to-sanitize-input-on-an-html-page – NotMe Apr 01 '09 at 20:49
  • Thanks for that link. Searched before posting ofc, but didn't find that :) – cwap Apr 01 '09 at 20:51
  • It's not a dupe though that question is about removing stuff what you are looking for properly encoding data according to output location which is different, and the other subject's answer actually not secure all the time. So you should not rely on that answer either. – dr. evil Apr 01 '09 at 22:23

5 Answers5

4

Take a look at the AntiXSS library.

bdukes
  • 152,002
  • 23
  • 148
  • 175
  • wow .. that looks great :S Can't believe it's not more hyped if it actually does what they say it do :) – cwap Apr 01 '09 at 21:10
2

The Server in ASP.NET Page instances (accessible via Page i.e. this) offers a HtmlEncode() method that should suffice to prevent XSS attacks.

By default, without explicitly allowing it in either web.config or via a page directive, ASP.NET will reject any suspicious input with an error page.

Martin C.
  • 12,140
  • 7
  • 40
  • 52
2

OWASP Antisamy and OWASP ESAPI.

Of these, I would vote for ESAPI, since I've used the Java version of ESAPI to prevent XSS attacks. Keep in mind that plain HTML encoding of data will not prevent XSS. The context of the data is important as well - you will have to escape JavaScript if you are dynamically generating it and injecting it into the response at the server.

Vineet Reynolds
  • 76,006
  • 17
  • 150
  • 174
0

Recently I've been looking at ESAPI.NET and the project seems incomplete and perhaps inactive -- especially compared to the java package.

Anti-XSS only covers a subset of ESAPI's scope and, indeed, ESAPI.NET uses AntiXSS (though not the latest) for encoding.

Any comments testifying to ESAPI.NET's usefulness would be helpful.

Rick Putnam
  • 546
  • 1
  • 6
  • 20
0

You got 3 nice choices for Cross-site Scripting protection:

I would try in this order.

dr. evil
  • 26,944
  • 33
  • 131
  • 201