Cross Site Scripting update for ASP.Net 4.5

Introduction to XSS

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.

ASP.NET 4.0 Implementation

The default ASP.NET implementation for encoding and decoding is the HttpEncoder class. The class contains the core encoding and decoding logic that is used by methods in classes such as HttpUtility, HttpServerUtility, and HttpResponseHeader.

You can inherit from the HttpEncoder class and override its behavior to customize the default encoder/decoder behavior of ASP.NET. You then set the EncoderType property of the HttpRuntimeSection class to configure your custom encoding/decoding class.

Because the HttpEncoder class contains the default base ASP.NET encoding functionality, a custom encoder/decoder class that derives from it can override the built-in ASP.NET encoder/decoder behavior or change only selected aspects of it.

You can configure the custom encoding type for in ASP.NET to replace or supplement the following encoding behavior:

  • HTML encoding
  • HTML attribute encoding
  • URL encoding
  • URL path encoding
  • HTTP header name and header value encoding

Notes to Inheritors

When you create a custom encoder class and override the base methods, the derived encoder might throw an exception from any of the overridden methods. However, in the following cases throwing such an exception could lead to unexpected behavior in ASP.NET:

If ASP.NET is rendering an error page that is caused by an unhandled exception that was thrown from a custom encoder, ASP.NET does not attempt to encode its error output by calling into the custom encoder. If you allow this, an unhandled exception occurs from the unhandled exception that is the handling error path. To prevent this behavior, the ASP.NET error page always uses the ASP.NET default encoder.

When ASP.NET is sending HTTP headers to IIS, ASP.NET does not expect unhandled exceptions to occur. Therefore, the standard ASP.NET error page will be rendered (if configuration settings allows this page to be displayed).

using System;
using System.Web;
using System.Web.Util;
using Microsoft.Security.Application;

public class AntiXssEncoder : HttpEncoder
{
    public AntiXssEncoder() { }
    protected override void HtmlEncode(string value, 
        System.IO.TextWriter output)
    {
        output.Write(AntiXss.HtmlEncode(value));
    }

    protected override void HtmlAttributeEncode(string value,
        System.IO.TextWriter output)
    {
        output.Write(AntiXss.HtmlAttributeEncode(value));
    }
}

After you have added this code to an application, you can configure the application to use the custom HTTP encoder. The following example from a Web.config file shows how to configure ASP.NET to use the custom http encoder.

< httpRuntime  encoderType="AntiXssEncoder" />

Upgrade in ASP.Net 4.5

Due to the popularity of the Microsoft AntiXSS Library, ASP.NET 4.5 now incorporates core encoding routines from version 4.0 of that library.
The encoding routines are implemented by the AntiXssEncoder type in the new System.Web.Security.AntiXss namespace. You can use the AntiXssEncoder type directly by calling any of the static encoding methods that are implemented in the type. However, the easiest approach for using the new anti-XSS routines is to configure an ASP.NET application to use the AntiXssEncoder by default. To do this, add the following attribute to the Web.config file:

<httpRuntime ... 
  encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, 
    Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

When the encoderType attribute is set to use the AntiXssEncoder type, all output encoding in ASP.NET automatically uses the new encoding routines.