Microsoft Releases Anti-XSS Web Protection Library

2010-06-02T16:37:00
ID MICROSOFT-RELEASES-ANTI-XSS-WEB-PROTECTION-LIBRARY-060210/74047
Type threatpost
Reporter Ryan Naraine
Modified 2013-04-17T16:36:52

Description

Microsoft has released an open-source Web Protection Library (WPL) to help developers protect web sites from cross-site scripting attacks.

The WPL, which is a set of .NET assemblies, is being offered as part of a defense in depth strategy to add an extra layer to any validation or secure coding practices.

Related Posts

EFF Blasts Microsoft Over ‘Malicious’ Windows 10 Rollout Tactics

August 18, 2016 , 4:38 pm

Latest Windows UAC Bypass Permits Code Execution

August 15, 2016 , 3:35 pm

Microsoft Mistakenly Leaks Secure Boot Key

August 11, 2016 , 11:31 am

It essentially provides a list of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript.

  • White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.
  • Secure Globalization: The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
  • Security Runtime Engine: The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard forCross Site ScriptingSQL Injection.

Documentation and download instructions can be found at the open-source Codeplex site.