Freigeben über


Microsoft Anti-Cross Site Scripting Library V1.5 is Released!

Hello,

 

I wanted to announce that today the ACE and the ASP.NET team released V1.5 of the Anti-Cross Site Scripting Library at https://msdn2.microsoft.com/en-us/security/aa973814.aspx. This library is essentially the same library that we used to call IOSec (whose name is retiring so we can converge on a single name) and we’re excited about finally being able to provide you with tools like these to develop more secure applications!

 

Top 5 Reasons Why You Should Upgrade

Migrating to V1.5 will require a few steps on your part, but here are the top reasons why you should upgrade to this version:

  • Reason #1 - More Encoding Methods: Encoding methods for JavaScript, Visual Basic Script, XML and more will be included to provide even more protection against XSS attacks.

Encoding Method

Version 1.0

Version 1.5

HtmlEncode

X

X

HtmlAttributeEncode

X

UrlEncode

X

X

JavaScriptEncode

X

VisualBasicScriptEncode

X

XmlEncode

X

XmlAttributeEncode

X

  • Reason #2 - Allow Partially Trusted Caller Attribute (APTCA) Support: The new library can be deployed in least privileged scenarios (that's a good thing!). There are certainly ways APTCA can be abused when not implemented properly so we’ve taken steps to limit that possibility such as using things like the SecurityTransparent (2.0 only), RequestMinimum and RequestOptional attributes.
  • Reason #3 - Improved Documentation, Sample Applications and Tutorials: Version 1.0 contained some examples of implementations of the library ; however what was missing was pragmatic tutorials on how to implement the library properly. Along side this release you’ll find a tutorial on how to implement the library, along with a simple technique for determining if data requires encoding or not at https://msdn2.microsoft.com/en-us/library/aa973813.aspx (we already know about the image rendering issue and it's getting fixed =P). Finally you’ll notice that the documentation for V1.5 has also been significantly improved.
  • Reason #4 - A Much Clearer and Flexible End User License Agreement (EULA): The EULA included with V1.0 was confusing and did not allow the library to be deployed in production environments. V1.5’s EULA is much clearer and provides the ability to deploy into production environments.
  • Reason #5 – Easy Upgrade Path for V1.0 Users:   Users developing on top of the V1.0 release can easily migrate to V1.5. The old namespace used in V1.0 is supported in V1.5 and so V1.0 users should find migration relatively transparent.

What’s Next?

Already people are asking this! In later versions we’ll look towards providing you with automatically encoding Web controls, intelligent filtering capabilities and much more. And of course, the ACE team will continue releasing other security tools (new versions of TAM, and others …) so keep visiting this blog for updates!

 

Thanks and enjoy this release!

 

Kevin Lam, CISSP | Senior Security Technologist | ACE Security ServicesTeam 
 
Assessing Network Security Book - https://www.microsoft.com/MSPress/books/6788.asp
Kevin Lam's Blog - https://blogs.msdn.com/kevinlam/default.aspx

Comments

  • Anonymous
    November 20, 2006
    Microsoft hat die Anti-Cross Site Scripting Library [1] nun in der Version 1.5 [2] veröffentlicht. Damit können Webanwendungen gegen Cross Site Scripting (XSS) abegehärtet werden. Mit der aktuellen Version sind auch Methoden für das absichern vo
  • Anonymous
    November 20, 2006
    微软的Anti-Cross Site Scripting Library旨在方便开发人员对HTML输出进行编码(encode)以避免跨站脚本攻击(XSS)。与其他的编码库不同,这个脚本库采用的是“Principle...
  • Anonymous
    November 22, 2006
    La fameuse librairie anti XSS est disponible depuis lundi sur le site de Microsoft. Il faut dire que cette nouvelle tombe
  • Anonymous
    December 23, 2006
    It all happens with input that us not properly validated from: http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh04.asp?frame=true#c04618429_006
  • Anonymous
    February 22, 2007
    Most folks know that cross-site scripting (XSS) bugs can be used to steal logon cookies, as this scenario
  • Anonymous
    January 13, 2008
    Lynn's slides - Jan 2008 Allup » SlideShare Original slides and session recordings - http://www.msdnevents.com/resources/2008-winter-resources.aspx
  • Anonymous
    January 13, 2008
    Lynn's slides - Jan 2008 Allup » SlideShare Original slides and session recordings - http://www.msdnevents