Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Epic Tale Of AntiXSSLibrary Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 By Hans Hagen 5/29/12.

Similar presentations


Presentation on theme: "An Epic Tale Of AntiXSSLibrary Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 By Hans Hagen 5/29/12."— Presentation transcript:

1 An Epic Tale Of AntiXSSLibrary Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 By Hans Hagen 5/29/12

2 There once was a cross sight scripting security package named Microsoft AntixssLibrary v3.1. This Library contained three sections that worked well together and their names where: AntiXSSLibary Sanitizer Security Run Time Engine Now, Sanitizer and SRE ran using the AntiXSSLibrary. AntiXSSLibrary can be used to encode outputs on websites to prevent XSS. Sanitizer is used to clean up HTML output and allow safe outputs to run. SRE is used to wrap a old or current website to encode its outputs at runtime. This package was great and everyone was happy. :) Then one day Microsoft released AntiXSSLibrary v :( and things have never been the same. Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12

3 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 AntiXss 4.2 Breaks everything February 13, 2012 by eksithFebruary 13, 2012eksith "This is one of those situations where none of your available options are good and your least harmful alternative is to shoot yourself in the foot at a slightly odd angle so as to only loose the little toe and not the big one". "All of this happened when Microsoft revealed January that their AntiXss library, now known as the Microsoft Web Protection Library (never seen a more ironic combination of words), had a vulnerability and like all obedient drones, we must update immediately to avoid shooting ourselves in our big toe. The problem is that updating will cause you to loose your little toe".Microsoft Web Protection Libraryvulnerability "You see, the new library BREAKS EVERYTHING and eats your children." "I was using an old version of Anti-XSS with a rich text editor (CkEditor). It was working very great. But when upgrading to latest version, I discovered the new sanitized is way too much aggressive and is removing almost everything “rich” in the rich editor, specially colors, backgrounds, font size, etc… It’s a disaster for my CMS!"

4 Reviews: "Wow - this thing is a total fail." "Too aggressive when it removes html elements" "Still no fix in place for properly processing Rich Text applications" "This version regressed the usability of the library to the point of making it useless" "Strips all A and B tags, useless" "Totally broken." "Very poor." "The HTML sanitizer in this release is pretty much worthless" "breaks compatibility with WYSIWYG HTML editors." "This release strips out all ref tags in an anchor tag." "The 4.2 is NOT backwards compatible with the previous releases. It's filtering is far too aggressive" Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12

5 The well spun lies: "The Microsoft Web Protection Library (WPL) is a set of.NET assemblies which will help you protect your web sites, current, future and past." White Lists: AntiXSS differs from the standard.NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind. Anti-XSS now protects against XSS attacks coded in dozens of languages. The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Cross Site Scripting SQL Injection framework version supported,.NET 2.0,.NET 3.5 and.NET 4.0 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12

6 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 The Truth: SRE A.K.A. AntiXSSModule is not currently being supported, and currently does not work with.NET 4.0 yet (5/27/12) For an example of SRE protection see the book "Beginning ASP.Net Security" pages 50-51, they show you how it use to work. Sanitizer is way to aggressive at removing possibly harmful tags, which makes it almost useless. So, Microsoft moved it into it's own library so the user has a choice to reference it or not. The following is an epic tale of loading and testing the AntiXSSLibrary v4.2.1

7 Download from the following: Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12

8 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Run Antixss msi install wizard: Nothing unusual.

9 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 What was download: No SRE file?

10 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Visual Studios: Ch03_Code\Sa mples\AntiXSS UsageSample

11 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Web.config: The AntiXssModule has to do with the SRE wrapper module, so I deleted it from the "bin" folder and removed the following from the Web.config: Then the application AntiXSSUsageSample worked. So I tried alert("Hello World")

12 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Issues Testing, Default input validation:

13 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Bypass Visual Studios Default request Validation to test AntiXSS Library: In web.config add the following lines:

14 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Difference between Validation and AntiXSSLibrary: Antixsslibrary is a dll you add in the bin, it has libraries to cleanse input code since things like server.html encode are not enough to keep good hackers at bay....the validate request is to see if there is potential for injections (among other things). You could say one cleanses and the other detects Successfully hacked!

15 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Web.config: Add if you want to make AntiXSSLibary your default encoder. Copy AntiXSSLibrary.dll to the projects "bin" folder.

16 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Right mouse button on References and Browse to the AntiXSSLibrary.dll to add to the references. More Issues:

17 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Encoder works well: This function is Deprecated. Newer function call.

18 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Sanitizer.GetSafeHtmlFragment issue: Sanitizer is not in the name space "The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and the ability to run unsafe code"

19 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Sanitizer Works! Tried Flowers, roses, plants & gift baskets delivered. Order flowers from

20 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 The epic adventure ends. AntiXSSLibrary v3.1 worked great. AntiXSSLibrary v4.2.1 needs a lot of help. Questions?


Download ppt "An Epic Tale Of AntiXSSLibrary Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 By Hans Hagen 5/29/12."

Similar presentations


Ads by Google