https://wpl.codeplex.com/

Before understanding Anti-Cross Site Scripting Library (AntiXSS), let us understand Cross-Site Scripting(XSS).

Cross-site Scripting (XSS)

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

Cross-Site Scripting (XSS) attacks occur when:

  1. Data enters a Web application through an untrusted source, most frequently a web request.
  2. The data is included in dynamic content that is sent to a web user without being validated for malicious code.

The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.

Anti-Cross Site Scripting Library

AntiXSS helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine. AntiXSS incorporates radically and innovatively rethought features, offering you a newer, more powerful weapon against the often employed cross-site scripting (XSS) attack. AntiXSS gives you:

  • Improved Performance. AntiXSS has been completely rewritten with performance in mind, and yet retains the fundamental protection from XSS attacks that you have come to rely on for your applications.
  • Secure Globalization. The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
  • Standards Compliance. AntiXSS is written to comply with modern web standards. You can protect your web application without adversely affecting its UI.

How it works?

Proper output encoding and good input validation will fix the XSS issue. For output encoding, use AntiXSS Library for its comprehensive encoding capabilities. AntiXSS works by looking at all the characters in the input and encoding characters not in the whitelist.

XSS Vulnerability

Hide   Copy Code
Response.Write(Request.Params["input"]);

To prevent XSS, we need to use the below code (AntiXSS):

Hide   Copy Code
AntiXss.UrlEncode(TextBox1.Text)

AntiXss.HtmlAttributeEncode(TextBox1.Text)

AntiXss.XmlEncode(TextBox1.Text)

AntiXss.JavaScriptEncode(item)

You can download AntiXSS library from here.

Anti XSS 防跨站脚本攻击库的更多相关文章

  1. XSS防跨站脚本攻击-AntiSamy的基本使用

    XSS:跨站脚本攻击(Cross Site Scripting),为不和 CSS混淆,故将跨站脚本攻击缩写为XSS.XSS是指恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页时,嵌入其 ...

  2. web 安全 & web 攻防: XSS(跨站脚本攻击)和 CSRF(跨站请求伪造)

    web 安全 & web 攻防: XSS(跨站脚本攻击)和 CSRF(跨站请求伪造) XSS(跨站脚本攻击)和CSRF(跨站请求伪造) Cross-site Scripting (XSS) h ...

  3. thinkphp 防止XSS(跨站脚本攻击)

    XSS(跨站脚本攻击)可以用于窃取其他用户的Cookie信息,要避免此类问题,可以采用如下解决方案: 直接过滤所有的JavaScript脚本: 转义Html元字符,使用htmlentities.htm ...

  4. xss(跨站脚本攻击)

    xss(跨站脚本攻击) 原理:攻击者可以通过在页面中注入恶意链接或者脚本代码,当受害者访问时,脚本代码会在其浏览器中执行,这个时候,我们可以获取当前用户的cookie或者进行重定向等操作. xss造成 ...

  5. 聊两句XSS(跨站脚本攻击)

    XSS(跨站脚本攻击),聊两句,五毛的. XSS的危害: 窃取Cookie,盗用用户身份信息 这玩意儿是大多数XSS的目标,也好解决,可以先治个标,直接设置HttpOnly=true ,即不允许客户端 ...

  6. XSS(跨站脚本攻击)的最全总结

    从OWASP的官网意译过来,加上自己的理解,算是比较全面的介绍.有兴趣的可私下交流. XSS 跨站脚本攻击 ============================================== ...

  7. 关于XSS(跨站脚本攻击)和CSRF(跨站请求伪造)

    我们常说的网络安全其实应该包括以下三方面的安全: 1.机密性,比如用户的隐私被窃取,帐号被盗,常见的方式是木马. 2.完整性,比如数据的完整,举个例子,康熙传位十四子,被当时四阿哥篡改遗诏:传位于四子 ...

  8. Magicodes.WeiChat——使用AntiXssAttribute阻止XSS(跨站脚本攻击)攻击

    跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS.恶意攻击者往Web页面里插 ...

  9. Web安全测试之XSS(跨站脚本攻击)

    XSS 全称(Cross Site Scripting) 跨站脚本攻击, 是Web程序中最常见的漏洞.指攻击者在网页中嵌入客户端脚本(例如JavaScript), 当用户浏览此网页时,脚本就会在用户的 ...

随机推荐

  1. 使用Minicom基于串口调试HiKey

    虽然通过adb shell调试方便,但是有些时候不得不借助于串口进行调试,比如测试suspend to ram之类的功能时,adb服务被关闭. 同时在minicom中也可以进入shell,进行操作. ...

  2. Ubuntu上基于开源代码PhoneMe的J2ME环境搭建及使用

    测试环境:Ubuntu 14.04.5 LTS J2ME背景知识及PhoneME介绍 J2ME相关介绍 在正式开始介绍J2ME之前,这里我列出一些常见名词,方便与下文参照:J2ME(Java2 Pla ...

  3. anaconda

    python 集成环境 anaconda的使用 https://www.zhihu.com/question/35757251

  4. SSM整合(二):Spring4与Mybatis3整合

    上一节测试好了Mybatis3,接下来整合Spring4! 一.添加spring上下文配置 在src/main/resources/目录下的spring新建spring上下文配置文件applicati ...

  5. [转] JAVA读取excel数据(插入oracle数据库)

    原文地址:http://blog.csdn.net/zczzsq/article/details/16803349 本实例做的是读取execl(只能读取.xls的execl,即只能读取03版的),如果 ...

  6. java socket API

    java.net类 Socket java.lang.Object java.net.Socket 直接已知子类: SSLSocket public class Socketextends Objec ...

  7. Web系统大规模并发——电商秒杀与抢购

    电商的秒杀和抢购,对我们来说,都不是一个陌生的东西.然而,从技术的角度来说,这对于Web系统是一个巨大的考验.当一个Web系统,在一秒钟内收到数以万计甚至更多请求时,系统的优化和稳定至关重要.这次我们 ...

  8. FineUI配置文件

    <configuration> <configSections> <section name="FineUI" type="FineUI.C ...

  9. javascript事件操作

    这里使用一个图片切换的方法来举例说明,如何通过代码操作事件. 1 通过html属性处理事件 <img id='avatar1' src="http://7u2gej.com1.z0.g ...

  10. 【转】sublime配置默认浏览器+多浏览器快捷键

    配置在Chrome,Firefox中打开 安装 SideBarEnhancements 然后通过ctrl + k, ctrl + b打开侧边栏,在侧边栏的文件中右击,找到 open width -&g ...