All geek questions in one place

Anti XSS support in ASP.net vs AntiXss Lib

How does the XSS (Cross Site Scripting) support provided by ASP.net differ from AntiXss? AntiXss is a microsoft library to protect your site from XSS. Both APIs look pretty much the same, and it looks like they can easily be switched from one to the other by searching code files.

Which one provides more protection against XSS? Is it advisable to use ASP.net internal support?

0
source share
2 answers

There are several differences. First, the Microsoft AntiXss library uses AntiXss encoding, which means that all characters are encoded, with the exception of all characters that are safe. The standard ASP.NET encoding mechanism is blacklisting. For example, for HTML encoding, it encodes only 4 characters: < , > , & and " (for example, it does not encode a single quote). Look, for example, at this SO answer , what could go wrong with this.

Another difference is that the basic ASP.NET encoding (using HttpUtility ) is able to encode HTML en URLs. AntiXss also allows you to encode HTML attributes and JavaScript text. There is no safe way to work in standard ASP.NET.

+2
source

One thing you can keep in mind is the release cycle; The encoding built into HttpUtility can only be updated with the release of a new version of ASP.NET. If someone comes up with an XSS attack that works against HttpUtility the day after it is released, your application will be vulnerable until a new version of ASP.NET is released. AntiXSS has a (much) faster release cycle, which means that when new attacks appear, the team can respond more quickly to them and release an updated AntiXSS that will protect them.

+1
source

Source: https://habr.com/ru/post/988570/

More articles:


All Articles