Menu
I have been reading up on Anti-XSS Security Runtime Engine and it looks like a nice solution for web forms because it inspects controls via reflection and automatically encodes data where appropriate. However as I don't really use server side controls in ASP.NET MVC, it does not seem to be a viable solution for ASP.NET MVC. Is this correct or am I missing something?
974
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
This is because if your application is not tested and validated against security threats right from the initial stages of development, it may fail to protect valuable corporate data and resources from malicious attacks.
The Anti-XSS Security Runtime Engine is an HTTP Module primarily designed around updating legacy ASP.NET applications. If you've already written the ASP.NET MVC application with proper data cleansing with the built in HTML Helpers (i.e. Html.Encode()), then the Anti-XSS Engine adds nothing new, and requires additional configuration (for necessary white-lists) and error checking.
All in all, you should not rely on the Anti-XSS Engine, especially if you rely on explicit control of when input is and is not rendered as HTML.
135
Phil Haack has an interesting blog post here http://haacked.com/archive/2009/02/07/take-charge-of-your-security.aspx. He suggests using Anti-XSS combined with CAT.NET.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
