Partager via


AntiXSS Library V3.0 - Test Harness

Hi, Anil Chintala here…

In this post I wanted to talk about the new Test Harness application which was released as part of the AntiXSS V3.0 Beta and is available as a free download on MSDN with source code available for download on CodePlex. Test Harness application is created to help the users to quickly get started and validate the successful blocking of XSS issues by the Library and also to measure the enhanced performance claims of the AntiXSS V 3.0 against Microsoft .NET encoding library.

AntiXSS Test Harness is a windows console application that automates the following two categories of tests - XSS validation and performance tests. When executed, AntiXSS Test Harness displays this console menu:

clip_image002

Performance Test Bench uses HtmlEncode() method as a benchmark for measuring performance of the AntiXSS library - AntiXss.HtmlEncoding(…) method against the .NET - HttpUtility.HtmlEncode(…) encoding method. Input strings with a combination of safe and un-safe characters are used as payload to run the automated performance tests.

Choosing Option#1, Performance Test Bench executes performance tests that analyze such metrics as:

  • Input string lengths

  • Encoded output strings

  • and the total time taken for its execution. 

During its run, Performance Test Bench compares the execution times of .NET's HttpUtility.HtmlEncode and AntiXss.HtmlEncode and stores in an output file containing results as displayed in this illustration:

clip_image004

XSS Validation Test Bench demonstrates the successful blocking of cross-site scripts. These tests use a list of XSS exploits as payload for running the automated tests. XSS exploit list are read from a text file, each payload is run through HTMLEncode() method of the library and the encoded output is stored in an output file.

When Option 2 is selected from the above console screen, Test Harness application executes the XSS validation tests and produces the following output file:

clip_image006

Test Harness Application provides a framework for automating the XSS validation and performance evaluation. Primary objective is to help developers and testers to quickly get started and test AntiXSS library for XSS validation and performance. With the availability of source code on CodePlex it also allows advanced users to extend the automated testing capabilities as per your specific requirements.

Thanks and more later…

Comments

  • Anonymous
    January 19, 2009
    The comment has been removed
  • Anonymous
    January 19, 2009
    Can you please let us know how to use the ddl:s on a host with medium trust? We have coded stuff that works great on our local machines, but we have not managed to run this in partial trust.Yes we have tried to compile it our self with AllowPartiallyTrustedCallers, but it does not work.Also posted the question here: http://www.codeplex.com/AntiXSS/Thread/View.aspx?ThreadId=44517
  • Anonymous
    January 31, 2009
    I really would like to use the AntiXSS but have not yet been able to run it on medium trust. I found some people who also wonder how to do it and nobody have a solution.I also posted the question on CodePlex some time ago. Any help with this would be great.http://www.codeplex.com/AntiXSS/Thread/View.aspx?ThreadId=44517
  • Anonymous
    March 17, 2009
    Our mission in Information Security is to enable secure & reliable business . In going about our