Microsoft Anti-Cross Site Scripting Library V1.5 is Released!
Hello,
I wanted to announce that today the ACE and the ASP.NET team released V1.5 of the Anti-Cross Site Scripting Library at https://msdn2.microsoft.com/en-us/security/aa973814.aspx. This library is essentially the same library that we used to call IOSec (whose name is retiring so we can converge on a single name) and we’re excited about finally being able to provide you with tools like these to develop more secure applications!
Top 5 Reasons Why You Should Upgrade
Migrating to V1.5 will require a few steps on your part, but here are the top reasons why you should upgrade to this version:
- Reason #1 - More Encoding Methods: Encoding methods for JavaScript, Visual Basic Script, XML and more will be included to provide even more protection against XSS attacks.
Encoding Method |
Version 1.0 |
Version 1.5 |
HtmlEncode |
X |
X |
HtmlAttributeEncode |
X |
|
UrlEncode |
X |
X |
JavaScriptEncode |
X |
|
VisualBasicScriptEncode |
X |
|
XmlEncode |
X |
|
XmlAttributeEncode |
X |
- Reason #2 - Allow Partially Trusted Caller Attribute (APTCA) Support: The new library can be deployed in least privileged scenarios (that's a good thing!). There are certainly ways APTCA can be abused when not implemented properly so we’ve taken steps to limit that possibility such as using things like the SecurityTransparent (2.0 only), RequestMinimum and RequestOptional attributes.
- Reason #3 - Improved Documentation, Sample Applications and Tutorials: Version 1.0 contained some examples of implementations of the library ; however what was missing was pragmatic tutorials on how to implement the library properly. Along side this release you’ll find a tutorial on how to implement the library, along with a simple technique for determining if data requires encoding or not at https://msdn2.microsoft.com/en-us/library/aa973813.aspx (we already know about the image rendering issue and it's getting fixed =P). Finally you’ll notice that the documentation for V1.5 has also been significantly improved.
- Reason #4 - A Much Clearer and Flexible End User License Agreement (EULA): The EULA included with V1.0 was confusing and did not allow the library to be deployed in production environments. V1.5’s EULA is much clearer and provides the ability to deploy into production environments.
- Reason #5 – Easy Upgrade Path for V1.0 Users: Users developing on top of the V1.0 release can easily migrate to V1.5. The old namespace used in V1.0 is supported in V1.5 and so V1.0 users should find migration relatively transparent.
What’s Next?
Already people are asking this! In later versions we’ll look towards providing you with automatically encoding Web controls, intelligent filtering capabilities and much more. And of course, the ACE team will continue releasing other security tools (new versions of TAM, and others …) so keep visiting this blog for updates!
Thanks and enjoy this release!
Kevin Lam, CISSP | Senior Security Technologist | ACE Security ServicesTeam
Assessing Network Security Book - https://www.microsoft.com/MSPress/books/6788.asp
Kevin Lam's Blog - https://blogs.msdn.com/kevinlam/default.aspx
Comments
- Anonymous
November 20, 2006
Microsoft hat die Anti-Cross Site Scripting Library [1] nun in der Version 1.5 [2] veröffentlicht. Damit können Webanwendungen gegen Cross Site Scripting (XSS) abegehärtet werden. Mit der aktuellen Version sind auch Methoden für das absichern vo - Anonymous
November 20, 2006
微软的Anti-Cross Site Scripting Library旨在方便开发人员对HTML输出进行编码(encode)以避免跨站脚本攻击(XSS)。与其他的编码库不同,这个脚本库采用的是“Principle... - Anonymous
November 22, 2006
La fameuse librairie anti XSS est disponible depuis lundi sur le site de Microsoft. Il faut dire que cette nouvelle tombe - Anonymous
December 23, 2006
It all happens with input that us not properly validated from: http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh04.asp?frame=true#c04618429_006 - Anonymous
February 22, 2007
Most folks know that cross-site scripting (XSS) bugs can be used to steal logon cookies, as this scenario - Anonymous
January 13, 2008
Lynn's slides - Jan 2008 Allup » SlideShare Original slides and session recordings - http://www.msdnevents.com/resources/2008-winter-resources.aspx - Anonymous
January 13, 2008
Lynn's slides - Jan 2008 Allup » SlideShare Original slides and session recordings - http://www.msdnevents