tags:

views:

990

answers:

2
+9  Q: 

Should I use the Anti-XSS Security Runtime Engine in ASP.NET MVC?

I have been reading up on Anti-XSS Security Runtime Engine and it looks like a nice solution for web forms because it inspects controls via reflection and automatically encodes data where appropriate. However as I don't really use server side controls in ASP.NET MVC, it does not seem to be a viable solution for ASP.NET MVC. Is this correct or am I missing something?

+5  A: 

The Anti-XSS Security Runtime Engine is an HTTP Module primarily designed around updating legacy ASP.NET applications. If you've already written the ASP.NET MVC application with proper data cleansing with the built in HTML Helpers (i.e. Html.Encode()), then the Anti-XSS Engine adds nothing new, and requires additional configuration (for necessary white-lists) and error checking.

All in all, you should not rely on the Anti-XSS Engine, especially if you rely on explicit control of when input is and is not rendered as HTML.

Jon  2009-06-18 07:53:32
Kind of - I own AntiXss and the SRE and whilst they're part of the same project they're not the same thing.AntiXSS's encoding differs from the .NET encoders in that we use safe lists, rather than unsafe lists to decide which characters need to be turned into their hex equivalents and which don't. This has a performance cost, but is inherently safer. So there is an advantage to using those encoding routines.The security runtime is a different beast, it's a simple application firewall which looks for common attacks. Parts of it are web forms specific, parts work with both webforms and MVC
blowdart  2010-07-15 01:59:43
+2  A: 

Phil Haack has an interesting blog post here- http://haacked.com/archive/0001/01/01/take-charge-of-your-security.aspx. He suggests using Anti-XSS combined with CAT.NET.

RichardOD  2009-06-18 11:57:13
Reading this article pretty much re-affirms my understanding of lack of server side controls in ASP.NET MVC. "With MVC, we’ve swapped server controls with our helper methods, which properly encode output"
Blegger  2009-06-18 15:19:22
[Updated link](http://haacked.com/archive/2009/02/07/take-charge-of-your-security.aspx) to Haack's blog entry.
patridge  2010-05-17 13:56:10

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests