Way of knowing if AntiXSS has found something bad?

Nov 4, 2009 at 9:28 AM

Hi,

I am attempting to add logging to the antiXSS, so I can spot any false positives (we are retrofitting AntiXSS) found in our WYSIWIG.

Is there a way of knowing if AntiXSS has found something malicous? I'm not sure exactly what I'm looking for, but I can imagine something similar to a boolean output parameter that says if antiXSS found anything bad.

Or just thinking about it, is it safe to simply do a string compare on the input and output? Or does AntiXSS always effect the string somehow.

-thanks

Alex.

 

 

 

Coordinator
Nov 4, 2009 at 4:48 PM

Akex,

Anti-XSS encoding methods simply encode the characters passed in the string. They don’t detect any malicious input. It is the same about SRE HTTP Module.

However, you could compare the strings, but it will affect the performance of the application.

Thanks

RV

From: alexkey [mailto:notifications@codeplex.com]
Sent: Wednesday, November 04, 2009 1:28 AM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: Way of knowing if AntiXSS has found something bad? [AntiXSS:74010]

From: alexkey

Hi,

I am attempting to add logging to the antiXSS, so I can spot any false positives (we are retrofitting AntiXSS) found in our WYSIWIG.

Is there a way of knowing if AntiXSS has found something malicous? I'm not sure exactly what I'm looking for, but I can imagine something similar to a boolean output parameter that says if antiXSS found anything bad.

Or just thinking about it, is it safe to simply do a string compare on the input and output? Or does AntiXSS always effect the string somehow.

-thanks

Alex.

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

Nov 6, 2009 at 9:45 AM

Thanks for the information, i've taken your advice into consideration and made sure i'm only using string compare sparingly.

If anyone else needs to do this, be aware that AntiXSS will convert your html fragment into proper xhtml case. i.e. lower case tag names.

So take this into consideration when doing your string comparision.