https://wpl.codeplex.com/

Before understanding Anti-Cross Site Scripting Library (AntiXSS), let us understand Cross-Site Scripting(XSS).

Cross-site Scripting (XSS)

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

Cross-Site Scripting (XSS) attacks occur when:

  1. Data enters a Web application through an untrusted source, most frequently a web request.
  2. The data is included in dynamic content that is sent to a web user without being validated for malicious code.

The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.

Anti-Cross Site Scripting Library

AntiXSS helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine. AntiXSS incorporates radically and innovatively rethought features, offering you a newer, more powerful weapon against the often employed cross-site scripting (XSS) attack. AntiXSS gives you:

  • Improved Performance. AntiXSS has been completely rewritten with performance in mind, and yet retains the fundamental protection from XSS attacks that you have come to rely on for your applications.
  • Secure Globalization. The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
  • Standards Compliance. AntiXSS is written to comply with modern web standards. You can protect your web application without adversely affecting its UI.

How it works?

Proper output encoding and good input validation will fix the XSS issue. For output encoding, use AntiXSS Library for its comprehensive encoding capabilities. AntiXSS works by looking at all the characters in the input and encoding characters not in the whitelist.

XSS Vulnerability

Hide   Copy Code
Response.Write(Request.Params["input"]);

To prevent XSS, we need to use the below code (AntiXSS):

Hide   Copy Code
AntiXss.UrlEncode(TextBox1.Text)

AntiXss.HtmlAttributeEncode(TextBox1.Text)

AntiXss.XmlEncode(TextBox1.Text)

AntiXss.JavaScriptEncode(item)

You can download AntiXSS library from here.

Anti XSS 防跨站脚本攻击库的更多相关文章

  1. XSS防跨站脚本攻击-AntiSamy的基本使用

    XSS:跨站脚本攻击(Cross Site Scripting),为不和 CSS混淆,故将跨站脚本攻击缩写为XSS.XSS是指恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页时,嵌入其 ...

  2. web 安全 & web 攻防: XSS(跨站脚本攻击)和 CSRF(跨站请求伪造)

    web 安全 & web 攻防: XSS(跨站脚本攻击)和 CSRF(跨站请求伪造) XSS(跨站脚本攻击)和CSRF(跨站请求伪造) Cross-site Scripting (XSS) h ...

  3. thinkphp 防止XSS(跨站脚本攻击)

    XSS(跨站脚本攻击)可以用于窃取其他用户的Cookie信息,要避免此类问题,可以采用如下解决方案: 直接过滤所有的JavaScript脚本: 转义Html元字符,使用htmlentities.htm ...

  4. xss(跨站脚本攻击)

    xss(跨站脚本攻击) 原理:攻击者可以通过在页面中注入恶意链接或者脚本代码,当受害者访问时,脚本代码会在其浏览器中执行,这个时候,我们可以获取当前用户的cookie或者进行重定向等操作. xss造成 ...

  5. 聊两句XSS(跨站脚本攻击)

    XSS(跨站脚本攻击),聊两句,五毛的. XSS的危害: 窃取Cookie,盗用用户身份信息 这玩意儿是大多数XSS的目标,也好解决,可以先治个标,直接设置HttpOnly=true ,即不允许客户端 ...

  6. XSS(跨站脚本攻击)的最全总结

    从OWASP的官网意译过来,加上自己的理解,算是比较全面的介绍.有兴趣的可私下交流. XSS 跨站脚本攻击 ============================================== ...

  7. 关于XSS(跨站脚本攻击)和CSRF(跨站请求伪造)

    我们常说的网络安全其实应该包括以下三方面的安全: 1.机密性,比如用户的隐私被窃取,帐号被盗,常见的方式是木马. 2.完整性,比如数据的完整,举个例子,康熙传位十四子,被当时四阿哥篡改遗诏:传位于四子 ...

  8. Magicodes.WeiChat——使用AntiXssAttribute阻止XSS(跨站脚本攻击)攻击

    跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS.恶意攻击者往Web页面里插 ...

  9. Web安全测试之XSS(跨站脚本攻击)

    XSS 全称(Cross Site Scripting) 跨站脚本攻击, 是Web程序中最常见的漏洞.指攻击者在网页中嵌入客户端脚本(例如JavaScript), 当用户浏览此网页时,脚本就会在用户的 ...

随机推荐

  1. CCF 201512-4 送货(错误)

    直接用DFS深搜,检查了好久没能发现错误,贴上来以后慢慢看... /* DFS深度优先搜索 Edge保存边 u{v,been} cnt记录走过的街道 如果没有就return ;继续递归 */ #inc ...

  2. spring 拦截器

    1.mvc.xml <!-- 自定义拦截链配置 --> <mvc:interceptors> <mvc:interceptor> <mvc:mapping p ...

  3. HTML 字符实体 &lt; &gt: &amp;等

    在 HTML 中,某些字符是预留的. 在 HTML 中不能使用小于号(<)和大于号(>),这是因为浏览器会误认为它们是标签. 如果希望正确地显示预留字符,我们必须在 HTML 源代码中使用 ...

  4. 命令行工具aspnet_regiis.exe实现加密和解密web.config

    命令行工具aspnet_regiis.exe,是一个类似于DOS的命令工具,称之为命令解释器.使用命令行工具加密和解密web.config文件中的数据库连接字符串时,只需要简单的语法命令即可. 加密语 ...

  5. oracle数据查询

    select * from XMBL_EM_DBBACK where f_djbh='DB01201612270013'select * from flow_task_list where biz_d ...

  6. SSH项目里面 忘记密码的邮件发送功能

    package com.xxx.util; import java.util.Date; import java.util.Properties; import javax.mail.Address; ...

  7. 排序算法汇总(C/C++实现)

    前言:     本人自接触算法近2年以来,在不断学习中越多地发觉各种算法中的美妙.之所以在这方面过多的投入,主要还是基于自身对高级程序设计的热爱,对数学的沉迷.回想一下,先后也曾参加过ACM大大小小的 ...

  8. javascript中针对float的ceil及floor

    function floorFloat(num, precision) { return +(Math.floor(+(num + 'e' + (precision))) + 'e' + -(prec ...

  9. Javascript字节转换

    //文件大小转换 function bytesToSize(bytes) { if (bytes === 0) return '0 B'; var k = 1024; sizes = ['B', 'K ...

  10. linux的用户与用户组

    1.上面这个花花绿绿的图片,来自linxu 下etc/passwd文件. 我们来详细的看下这些都值得是什么东西,这些内容都是用冒号来分割的. 2.etc/shadow 3.对比一下这两个文件的权限,为 ...