Intro

If you care only a little bit for the security of your ASP.Net application, I am sure that you’ve heard about of Cross-site scripting attacks and of the Microsoft Anti-Cross Site Scripting Library. Html Encoding using AntiXSS is a must for any serious website and it should be mandatory for any web framework (DNN, CS …).

If you didn’t hear about it, then head to it right now: Start here, then go to here and here.

If you don’t want to read about it then head here and here or even better here to read about what it can do it your site, then go back, read about it and implement it.

And if you are still not sure how popular this type of attack can be and how important is to protect then read Samy’s story about how he took down MySpace.com in 24 hours and added more than 1 million friends to himself using a tiny little Xss.

ASP.Net vs AntiXSS

Now that you have a good understanding of what XSS is, you noticed that one of the mitigations that has to be applied is to use HtmlEncode (or other variants) on all rendered data that could have originated from the user.

The main difference between ASP.Net’s HttpUtility.HtmlEncode and AntiXss.HtmlEncode is the fact that the ASP.Net version is using black-listing (encode several known characters) while the AntiXss.HtmlEncode (and the other variants) are using white-listing (encode everything except few not-dangerous characters). You can read more about the differences here.

Big Note: Please don’t even consider to use the ASP.Net HttpUtility.HtmlEncode as there is a reported, Won’t Fix bug reported about it that could become critical one day. Always use the AntiXss for any type of encoding.

What to encode

Everything containing data originating from the user (or data not owned by you and to be known to be secure). Better encode more than less.

Here is non-comprehensive list:

• Names: User Names, First Name, Last Name …
• Personal details (addresses, emails)
• Urls
• Subject lines, content of posts, emails, website or email feedback
• Links to Images and avatars
• User profiles and signatures

How to use Anti Xss:

Basic encoding for Labels, Literals or other controls:

Insecure:

lblEmail.Text = customer.EmailAddress;

Secure:

lblEmail.Text = AntiXss.HtmlEncode(customer.EmailAddress);

This type of code looks ok and it’s not that hard to write and to verify that your application is always using encoding.

However if you use some type of data binding you have to take a much longer route and change your code from something simple like:

Insecure:

<ItemTemplate>
    Description: <%# Eval("Description") %>
</ItemTemplate>

To this:

Secure:

<ItemTemplate>
    Description: <%# AntiXss.HtmlAttributeEncode ( DataBinder.Eval( Container.DataItem,"Description" ).ToString() ) %>
</ItemTemplate>  

One more resources worth having at hand for tests is the XSS (Cross Site Scripting) Cheat Sheet. Don’t try to enter this via your UI and say “hey, you can’t enter them” so I’m secure because it’s just a matter of time before someone enters them in your database.

For a real test enter the examples from this page directly in your database (as user names, customer names or user profiles for example) and see how well your website works.