wpl Discussions Rss Feed

New Post: Are there any virtual labs that describe how to fix a .NET derivative XSS vulnerability?

dbavedb — Thu, 13 Jun 2013 00:49:59 GMT

I notice that there are some interesting Microsoft documents that discuss fixing XSS:

http://www.asp.net/mvc/tutorials/older-versions/security/preventing-javascript-injection-attacks-cs
http://msdn.microsoft.com/en-us/library/hh567599(v=cs.95).aspx
http://msdn.microsoft.com/en-us/library/aa973813.aspx
http://msdn.microsoft.com/en-us/library/ff649310.aspx
http://msdn.microsoft.com/en-us/library/ms972967.aspx

Does anyone know if there are any Virtual Labs that discuss this? I have been referring my developers to this location:

http://msdn.microsoft.com/en-us/aa740391

for learning more about fixing and preventing security vulnerabilities, but I do not see anything listed about XSS? Are there any great links, Virtual Labs, videos etc.

New Post: AntiXSS - validate JSON

nishithraval — Fri, 17 May 2013 09:33:53 GMT

hey,
Similar to this,I have a restful wcf service,where need to validate JSON and XML against the Xss.Is there anything in AntiXss ???

New Post: Where is the SecurityRuntimeEngine???

bdorrans — Thu, 18 Apr 2013 16:38:29 GMT

So if you want the SRE bits you need to compile them yourself - and they haven't been validated with Win8/2012.

Given that we helped port ModSecurity to IIS, and that's open source and has many more options available it's unlikely any further work will be done on the SRE.

New Post: Where is the SecurityRuntimeEngine???

jsp3536 — Thu, 18 Apr 2013 15:11:42 GMT

I am looking for this as well. Has this been removed?

New Post: Release Build Fails

ScottMacMaster — Fri, 12 Apr 2013 14:38:45 GMT

Everything is working fine when the configuration is set to debug. However, when I set the configuration to release the build fails. I get the following error.

SGEN : error : Could not load file or assembly 'file://\TeamFoundationServer\c$\Bin\MyDll.dll' or one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515)

I thought maybe my dll needs to be built in release mode. So I changed that but that had no effect.

I then did a bunch as research and found 3 possible causes.

It requires full trust.

So I added '<trustLevel name="full" policyFile="internal" />' to my web.config file. This had no effect.

Maybe something in the version of IIS integrated into Visual Studio needs configured but I can't find any info on this approach.

The library is 32 bit and requires the program to be 32 bit.

I tried changing the project target for both the web app and the dll from 'Any CPU' to x86. This had no effect.

My OS is 64 bit maybe other settings need changed.

Don't use unsafe code.

The library has code that requires full trust and the new version has this in a separate assembly. I'm not sure if the unsafe code is in AntiXssLibrary.dll or HtmlSanitizationLibrary.dll but the Encode function I'm trying to use is in AntiXssLibrary.dll. So I don't know if I can exclude it by not including a dll.

Also, I briefly tried the approach of downloading the source code and removing the code but I got errors the project files couldn't be loaded when I tried opening the project.

Can someone help me get this to work?

Thanks

New Post: Update on the sanitizer.

Tyrven — Wed, 30 Jan 2013 19:04:37 GMT

Reiterating programmerman's question. bdorrans, should AntiXss be considered abandoned? Obviously, .NET 4.5 covers some of the functionality, but (to my knowledge) doesn't have an equivalent to the GetSafeHtmlFragment() method. Would love to know where things stand, as we have a number of libraries that rely on MWPL.

New Post: Update on the sanitizer.

Programmerman — Fri, 11 Jan 2013 17:31:58 GMT

It's been a year now since the WPL was patched. Do we have any further news on updating the sanitizer?

New Post: AntiXSS and Xml document

quirksoftware — Mon, 12 Nov 2012 03:49:55 GMT

Our application accepts xml data through our WCF interfaces. This xml data is based on a variety of sources on a client's system, and transformed into a final inbound xml document for our application.

This xml data is then used to generate data in our database and create business objects in our app. Some of this data will be rendered directly on screen to end users of this data.

As we have very little control over the variety of data sources on the client machine, but only on the final inbound xml, there is a potential (albeit small) of someone attempting an XSS attack via our xml structure.

I want to be able to strip out any attributes and / or potential malicious html from the XML document, WITHOUT encoding the entire XML doc.

I figured the antixss component would be a match, but this appears to throw the baby out with the bathwater, as it were, since the entire XML document ends up encoded, rather than just the sections which contain potential XSS attacks.

Any thoughts on how I could accomplish this?

C

New Post: AntiXSS library v4.2.1 with ASP.NET 3.5 or ASP.NET 4

hpkapadia — Mon, 15 Oct 2012 19:39:01 GMT

I want to use AntiXSS library v4.2.1 in my ASP.NET 3.5 & ASP.NET 4 web applications. How do I start? Do I need to recompile my entire application after I copy the DLL in the bin folder? Do I need to change all my .cs pages or just change the web.config to include the reference to the AntiXSS library?

Thanks

Hitesh

New Post: Where is the SecurityRuntimeEngine???

ralarcon — Mon, 27 Aug 2012 06:23:12 GMT

I'm trying to use the SRE module but I can't find the assembly. The installer does not create any other assembly apart from the AntiXSSLibrary.dll and the HtmlSanitizationLibrary.dll

New Post: Update on the sanitizer.

bchavez — Wed, 22 Aug 2012 23:03:38 GMT

Hi,

I recently heard AntiXSS library was included in ASP.NET 4.5 (VS 2012) / .NET 4.5.

Does .NET 4.5 include the latest version of AntiXSS that is overly restrictive?

Thanks,
Brian

New Post: AntiXSS 4.2.1 and MVC 3

Bieters — Fri, 20 Jul 2012 06:18:02 GMT

Ok. Thanks

New Post: Update on the sanitizer.

bdorrans — Thu, 19 Jul 2012 18:13:46 GMT

I wanted to update you on the current state of the sanitizer. We're aware of the frustration you're having and I can only apologise. We're still exploring options - I know it's been six months but I've been trying to get a long term solution to the problem rather than patching unwieldy code.

The attempt to find a better solution and the resources to deliver it are still on-going I'm afraid, but it is discussed and pushed for on a regular basis.

I'm sorry that's all I have for you right now.

New Post: How do I configure AntiXSS 4.2 on .NET 3.5

bdorrans — Thu, 19 Jul 2012 18:10:31 GMT

Nope, that's all you need to do.

New Post: AntiXSS 4.2 doesn't html encode on .NET 3.5

bdorrans — Thu, 19 Jul 2012 18:10:11 GMT

I'm not seeing this - can you reproduce it in a sample solution I can examine?

New Post: AntiXSS 4.2.1 and MVC 3

bdorrans — Thu, 19 Jul 2012 18:09:22 GMT

The current problems are with the Html Sanitizer.

The encoding methods are perfectly fine and safe to use, so for your example usages you'll be ok.

New Post: Hash character encoded into %23

bdorrans — Thu, 19 Jul 2012 18:08:08 GMT

Soon. Kinda of.

The underlying problem lies within some asp.net controls using url encoding incorrectly. The ASP.NET folks have been trying to track them all down and that's still ongoing.

The fix actually syncs the url encode with the .NET framework version, and as such uses code from the .NET framework. However that code is not open source, and we've been working with the legal folks to address this. What with the VS2012 beta releases this hasn't been at the top of everyone's mind, but now that has shipped we're pushing forward again and hope to get signoff within a few weeks.

Once I have that you'll see a new version of the encoders up which will address the issue.

Sorry it's taken so long.

New Post: Hash character encoded into %23

dipakcodeplex — Wed, 18 Jul 2012 18:47:30 GMT

I am also having same issue. Is there any resolutions or workaround for this?

New Post: AntiXSS 4.2.1 and MVC 3

Bieters — Tue, 17 Jul 2012 17:48:30 GMT

Hi,

all the problems is basically related to asp webforms or rich text editors?

I only want to use Html.Encode or @Encoder.JavaScriptEncode of the library in an asp net MVC 3 online shop app.

Are there problems with these methods too?

Can someone explain a bit please?

New Post: AntiXSS 4.2 doesn't html encode on .NET 3.5

GothamCity — Tue, 10 Jul 2012 19:21:30 GMT

It seems that AntiXSS 4.2 htmlencode does not work on .NET 3.5.

Did anyone face a similar problem and most importantly is there a solution to this?