An open-source Anti-XSS Web Protection Library, from Microsoft

An open-source Anti-XSS Web Protection Library, from Microsoft

Summary: The WPL, which is a set of .NET assemblies, is being offered as part of a defense in depth strategy to add an extra layer to any validation or secure coding practices.

SHARE:

Microsoft has released an open-source Web Protection Library (WPL) to help developers protect web sites from cross-site scripting attacks.

The WPL, which is a set of .NET assemblies, is being offered as part of a defense in depth strategy to add an extra layer to any validation or secure coding practices.

It essentially provides a list of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript.follow Ryan Naraine on twitter

  • White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.
  • Secure Globalization: The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
  • Security Runtime Engine: The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard forCross Site ScriptingSQL Injection.

Documentation and download instructions can be found at the open-source Codeplex site.

Topics: Open Source, Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Plone for Windows

    Folks,
    I've about had it with PHP and its security issues.
    In fact, I've moved to Plone, which runs on Zope.
    Here's a list of (below) security features for your consideration:
    http://plone.org/products/plone/security/overview

    Plus, I run Plone behind an Apache proxy.
    All things considered, this is about as secure a web server as you'll ever find.

    Besides, if it's good enough for http://cia.gov, then it's good enough for me. :)
    Problem A1: Unvalidated Input
    How Plone handles this: All input in Plone is validated, and the framework makes sure you can never input data that is not of the required type. This is probably the number one reason why Plone sites ? even when deployed and developed by people new to web security ? are not compromised.
    Problem A2: Broken Access Control
    How Plone handles this: Plone is based on the well-proven (7 years in production), flexible and granular ACL/roles-based security model of Zope. In addition, Plone utilizes an innovative workflow-based approach to security, which means that end-users never see or modify the security settings ? they only work with security presets that have been supplied to them by the developers of the application. This greatly reduces the possibility of misconfigured security settings.
    Problem A3: Broken Authentication and Session Management
    How Plone handles this: Plone authenticates users in its own database using a SHA-1 hash of their password. Using its modular authentication system Plone can also authenticate users against common authentication systems such as LDAP and SQL as well as any other system for which a plugin is available (Gmail, OpenID, etc.). After authentication, Plone creates a session using a SHA-1 hash of a secret stored on the server and the userid (HMAC-SHA-1). Secrets can be refreshed on a regular basis to add extra security where needed. Note: Older Plone versions (i.e. before Plone 3) use a less secure method where a session cookie containing both the loginname and password for a user are used. It is highly recommended to enforce use of HTTPS encryption for such sites.
    Problem A4: Cross Site Scripting
    How Plone handles this: Plone has strong filtering in place to make sure that no potentially malicious code can ever be entered into the system. All content that is inserted is stripped of malicious tags like <script>, <embed> and <object>, as well as removing all <form> related tags, stopping users from impersonating any kind of HTTP POST requests. All destructive operations (like deletion of content) and privilege elevation (roles, permissions) are checked to be valid HTTP POST requests in addition to the usual security checking. On an infrastructure level, the TAL template language used to create pages in Plone quotes all HTML by default, effectively preventing cross site scripting.
    Problem A5: Buffer Overflow
    How Plone handles this: Buffer overflow vulnerabilities are not known to exist in the current versions of Python, and is usually more common in systems based on languages that do not have strict checking for this, like C.
    Problem A6: Injection Flaws
    How Plone handles this: Injection flaws are most common in systems that use SQL databases for content storage. Plone does not use a SQL database by default. When setting up SQL databases with Plone, they always communicate through a standard SQL connector that neutralizes injection attempts automatically.
    Problem A7: Improper Error Handling
    How Plone handles this: Plone provides almost no error information to site visitors (no stack traces, etc.). When there is an error, Plone logs the error internally. All the front-end user will see is the log entry number of the error, allowing the error to be located in the logs if it is reported to the site admin.
    Problem A8: Insecure Storage
    How Plone handles this: All the cryptographic methods in the Plone stack have been exposed to public scrutiny for years and have no known vulnerabilities.
    Problem A9: Application Denial of Service
    How Plone handles this: The most common setup for a Plone site is to to deploy it behind a caching proxy like Squid, Varnish, Apache or IIS. When configured in this way, it's very hard to bring down a Plone site with DoS attacks. (Note: In versions earlier than Plone 2.1.4 and 2.5.1, there was a potential Denial of Service attack identified in the error page of Plone, which was unnecessarily heavy. This was fixed as part of a bigger security audit performed in the same timeframe, and the current releases of Plone do not suffer from this problem.
    A10 Insecure Configuration Management
    How Plone handles this: Plone has very strict security defaults out-of-the-box, and also runs as an unprivileged user on the server. Plone website users do not have access to the file system. Because of these factors, the most common security configuration vulnerabilities in this area are avoided.

    Security track record

    Measuring or quantifying security risks in software is hard ? security is a process, not a product, and thus requires constant vigilance and good coding practices combined with security reviews. One interesting measure is the number of vulnerabilities reported by the MITRE?s Common Vulnerabilities and Exposures database, which is the main source for tracking and naming security issues.

    Here are some counts of the numbers of known vulnerabilities and exposures in some common CMS platforms and their technology stacks - also note that the Python/Zope/Plone stack has existed for several years longer than the others mentioned.

    The following data was extracted from the National Vulnerability Database, in April 8th, 2009. The figures presented represent the total number of occurrences of the term searched, with the numbers in parenthesis representing the number of occurrences in the past 3 years.

    * Plone/Zope/Python stack:
    o CVE Entries containing Plone: 10 (10)
    o CVE Entries containing Zope: 19 (4)
    o CVE Entries containing Python: 68 (46)
    * PHP-based stacks:
    o CVE Entries containing Drupal: 197 (183)
    o CVE Entries containing Joomla: 327 (314)
    o CVE Entries containing MySQL: 233 (136)
    o CVE Entries containing Postgre: 66 (32)
    o CVE Entries containing PHP: 9,989 (7,276)
    * Other stacks:
    o CVE Entries containing Perl: 2,544 (1,092)

    These numbers do not prove anything by themselves, of course, but do suggest a general trend and are a good approximation of our security track record compared to other systems.

    One should also note that when installing a CMS stack, one should consider the security records of all stack components (including add-on products and modules). That means if a CMS requires an external database server, the security of that server should be considered in addition to the security of the CMS system itself.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: An open-source Anti-XSS Web Protection Library, from Microsoft

      @Dietrich T. Schmitz - how can there possibly be any flaws in any of the OSS you mention above? You regularly harp on about how the "many eyes" principle of OSS means that most major bugs are found in most OSS software, and yet, here you are lamenting the poor state of PHP. How can this be?
      de-void-21165590650301806002836337787023
      • RE: An open-source Anti-XSS Web Protection Library, from Microsoft

        @de-void I am a strong proponent of open source and believe code quality is enhanced by "many eyes", and the general transparency of public/peer review, vetting authors, safe repository keyrings, and of course, LSM AppArmor.<br>These make Ubuntu Linux the safer choice.<br><br>Still, there are issues with code that statistics reveal occur with a high degree of frequency for PHP.<br><br>That point cannot be disputed. I prefer Perl, but Python, the language used to develop Zope and Plone, is strict type safe.<br><br>XSS is a server-side issue (credit owing to Honeymonster--who has hammered home that point on several occasions--I stand corrected). <br><br>Regretfully, XSS is as much a problem for Linux servers as it is for Windows. That has troubled me for quite some time. But, I feel that Plone strongly differentiates itself on it's unique security feature set, which is why I have moved to it on my site and so have shared it with you today.<br><br>There's a nice implementation for Windows:<br><a href="http://www.enfoldsystems.com/software/server/" target="_blank" rel="nofollow"><a href="http://www.enfoldsystems.com/software/server/" target="_blank" rel="nofollow"><a href="http://www.enfoldsystems.com/software/server/" target="_blank" rel="nofollow"><a href="http://www.enfoldsystems.com/software/server/" target="_blank" rel="nofollow">http://www.enfoldsystems.com/software/server/</a></a></a></a><br>And a proxy server as well:<br><a href="http://www.enfoldsystems.com/software/proxy/" target="_blank" rel="nofollow"><a href="http://www.enfoldsystems.com/software/proxy/" target="_blank" rel="nofollow"><a href="http://www.enfoldsystems.com/software/proxy/" target="_blank" rel="nofollow"><a href="http://www.enfoldsystems.com/software/proxy/" target="_blank" rel="nofollow">http://www.enfoldsystems.com/software/proxy/</a></a></a></a><br><br>I watch attacks hit my server every day. <br><br>As far as I am concerned, state of the art-wise, there is no better CMS than Plone. Better than Sharepoint.
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • Ouch! - your right but - ouch

        @de-void
        ItsTheBottomLine
      • I love this fallacy. The false dichotomy of perfection and MS equivalence.

        Nothing being perfect doesn't make there only one league.
        AzuMao
    • RE: An open-source Anti-XSS Web Protection Library, from Microsoft

      @Dietrich T. Schmitz

      Interesting statistics. You know what, try with ASP.NET as well:

      CVE Entries containing ASP.NET: 20

      Not bad considering the exposure ASP.NET has.

      I'm glad you finally figured out that XSS is a server side (application-level) issue. Unfortunately you are correct: It is as much a problem for Linux as it is for Windows. In fact, it has nothing to do with the OS.

      IMHO there's not really a good solution to the XSS problem: It is far too easy to inadvertently display something which should have been encoded. Although a framework such as ASP.NET which abstracts the "bare metal" away does guide you in the right direction, it still has too many places where novices can shoot themselves.

      I'm not familar with Plone. One could hope that the someone in the industry comes up with the end-all solution to XSS and it is quickly copied by everyone else.
      honeymonster
      • RE: An open-source Anti-XSS Web Protection Library, from Microsoft

        @honeymonster
        P.S.
        If you'd really like to see a fine example of 'Plone on Steriods', pay a visit to:
        http://www.cynapse.com/cynin
        Download their community version iso, point your VirtualBox or VMware to the iso, boot up and install.
        Set your network to bridged. and log into your browser with the ip returned by ifconfig, example:
        http://192.168.1.105

        Ryan, Dancho, this is a worthwhile exercise.
        Then compare to Sharepoint.
        cyn.in is a superset of Plone running on Debian.
        Dietrich T. Schmitz, ~ Your Linux Advocate
  • RE: An open-source Anti-XSS Web Protection Library, from Microsoft

    How about some protection from the spamming of these blogs/articles....going to lose a lot of followers (at least one) if you don't do something soon...
    puppadave
    • RE: An open-source Anti-XSS Web Protection Library, from Microsoft

      @puppadave
      Just mark 'em as spam and scroll past...

      Unless they go to a closed forum structure like vBulletin with 24/7 mods, that's just the way it is.
      ubiquitous one
      • RE: An open-source Anti-XSS Web Protection Library, from Microsoft

        @ubiquitous one

        No, it is not "just the way it is". Once it has been flagged, it should be reviewed by a moderator -- they DO havce moderators here, you know.

        The review should be more prompt than this -- as it is indeed more prompt at many other open froums with moderators.
        mejohnsn
      • RE: An open-source Anti-XSS Web Protection Library, from Microsoft

        @mejohnsn
        No matter how many times it's reviewed and deleted by a mod, the [b]used T-shirt salesmen[/b] keep coming back for more. Somebody is clicking on their links giving them a hitback which encourages them to come back and re-post again & again. It's been going on this way for months now.

        The only way to solve it is through a closed forum and zdnet won't do that. The site counter hits would drop dramatically which means advertising revenue will go down. Plus, there's no revenue money to be made keeping an ad-less closed forum open. If anything, it would [b]cost them[/b] money to staff and maintain it.

        That's just the nature of the way it is.
        ubiquitous one
  • RE: An open-source Anti-XSS Web Protection Library, from Microsoft

    Hooray for Microsoft on this one. We'll have to see how this library holds up, but I think this is the right move to be making. Layered on top of the existing .NET XSS filters this will hopefully help devs to filter out malicious input more effectively. I would like to see some halfway decent intelligent filters for SQLi LDAPi and OSCI too. They might be more difficult to do, but no reason they couldn't be done.
    TheLightcosine
  • RE: An open-source Anti-XSS Web Protection Library, from Microsoft

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>
    efsane