Cross Site Scripting (XSS) vulnerability is one of the most prevalent security issue today. Prevention of XSS is pretty straightforward if you know the different options available to you. Let’s look at 3 easy options when using the .NET framework.
.NET "ValidateRequest" Approach Microsoft introduced ValidateRequest in .NET 1.1. The idea is that the framework checks incoming requests for any constructs indicative of Cross Site Scripting issues. If any problems are found, an error is raised and the request does not even get to the web application. The directive can be placed in Machine.config, web.config or at the page level. This option is turned on by default in ASP.NET. Microsoft has made it clear that you should not rely ONLY on this method:
Do not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation.
It is clear why Microsoft adds the precaution. This is a blacklist based approach and every blacklist has limitations. In addition, if there is a business need to use constructs that are blacklisted by validateRequest (e.g., Ajax apps that send xml back and forth), you may need to turn off this feature. Lets check what validateRequest does by cracking open the relevant dll’s.
.NET Framework 1.1 does the following checks as seen from the disassembly: Reading through the code, we see that the following items are checked - expression strings, JavaScript script and OnXXX handlers, ‘<’ followed by alpha characters and "&#". It is a decent list that catches most common XSS vectors.
.NET Framework 2.0 does the following checks as seen from the disassembly: In this case, the following items are checked - ‘<’ followed by alpha characters and "&#". It appears that MS decided to dumb down request validation when .NET framework went from 1.1 to 2.0. An important point to remember about "validateRequest" is that these protections are given to only certain parts of the request. Query Strings, Form variables and Cookies are protected. Header values, Server Variables, viewstate, information inside multi-part forms (e.g., file upload) are not validated.
From a developer’s perspective, the usefulness of this class is limited by the fact that it cannot be overridden or extended.
Anti-XSS Library The Anti-XSS library is an exhaustive blacklist. The following screenshot shows all function calls in the library (ver 1.5). As seen in the disassembly above, the coverage of Anti-XSS library is quite good as it looks at JavaScript, VbScript, XML. Being a public class, it is possible to extend and override methods to suit your application needs.Use of this library entails downloading the latest dll and adding a reference to your web application project.
Output Encoding This method involves the use of HttpUtility.HtmlEncode() call whenever you send information to the presentation layer. This process is not as automatic as the first two methods because the developer has to be more aware of where they are displaying data.
There has been a lot of talk lately about what people perceive to be a problem with the Payment Card Industry (PCI) standard. PCI Council kicked up dust with their recent clarification about section 6.6:
Most of the security folks are peeved by the fact that an application firewall can be used in place of a code review. I agree with the nay-sayers from a purely technical perspective. Application firewalls do not protect you from attacks for which you cannot write good signatures…and there are many, many attacks that fall in this category (authentication, authorization etc, etc). Even for attacks such as SQL Injection and Cross Site Scripting, which the WAP are designed to mitigate, there may be new ways to circumvent the firewall. So, from a technical perspective it is pretty ineffective if an organization is pushing for security.
There lies the big problem. Most organizations do not really care about security. Customer data is just one piece of the puzzle to get their business done. The only reason companies take customer data seriously is because there are laws and the reputation loss. From a business and process perspective, it is just one cog of many. They know there is something called PCI and there are a few requirements to be met. And the PCI Council has given these companies a freebie in the form of web application firewall.
In my view, the whole issue about section 6.6 has to be taken in perspective. If an organization is to pass PCI requirements, they need to satisfy all sections. In other words, the PCI requirements also stipulate a lot of best practices - network segmentation (Req. 1), separation of duties (Req.6.3), good programming practices [OWASP Top 10] (Req.6.5), Regular vulnerability testing (Req.11) that needs to be satisfied. If a company wants to be PCI Compliant, they would ideally look at all of these and, in the process become compliant. Viewed in this light, the issue of web application firewall is a small one.
So you have decided to make the jump to using encryption to protect sensitive information on the hard disk and while sending across the Internet. Great!. One of the best freeware programs available is GnuPG.
To get started, install gpg4win. Download, double-click on the downloaded file and you are good to go. After installation, when you right-click on a file, you should see a new option, GPGee, in your menu. This means everything went well with the install.
Now to go Start -> Programs -> GnuPG For Windows -> GPA
GPA (Gnu Privacy Assistant) is the heart of this program. What we will do next is generate keys for you to use. You see, this type of encryption depends on “keys” that have your unique signature. The only personal identification in the keys are your name and email address. I would suggest putting in your real name and a real email address you use. This is so others can find your keys easily. These keys are meant to be made public.
If you already have your own keys, skip forward to the “key import” section.
0. Generate Keys
When you started GPG, the program probably came up asking if you want to generate keys.
Say “Generate Keys” at this screen. You will be asked for your name and email address and a password and the program will generate a key for you in a few seconds. This key will show up in your “keyring”. A keyring is where you store your own key and other user’s keys. Your key is protected by the password you entered, so don’t forget the password. The initial keyring will just have the key you just generated.
1. Encrypting/Decrypting Files
To encrypt a file, right-click on the file and select “GPGee -> Sign and Encrypt”.
A window will pop up that will list all the keys that can be used to encrypt. First choose the encryption key (box at top) by checking the box. Next, select the signing key.
After you click “ok”, you will see a file with a *.gpg extension in the same folder. This is the encrypted version of the file.
To decrypt a file, we need to reverse this process. First, right-click on the encrypted file and choose “GPGee -> Verify/Decrypt”. This will ask for your password to unlock your key that will be used for decryption. You should get a success message box after decryption. The decrypted file will show up in the same folder.
2. Sending encrypted emails
Unfortunately,there is no easy way to use GnuPG to send encrypted emails.
Update: You can use thunderbird with Enigmail to automate this process.
Here’s what you can do.
Write your email in notepad or another text editor. Save the file.
Encrypt this file to get a file with *.gpg extension
Open the *.gpg file in notepad or another text editor
Use Ctrl+A to select the data in the file, Ctrl+C to copy the data
Paste this into your email client (Outlook, Hotmail, GMail whatever you use)
To decrypt any encrypted emails that you get:
Copy full email from your email client
Paste this into notepad or another text editor
Save the file with a *.gpg extension
Decrypt the file using the discussion in section 1.
The decrypted file will show up in the same folder
3. Sharing your key with others
This method of encryption works only when you have the keys of the people you want to send encrypted files/emails to. Others who need to send you encrypted files or emails need to know your keys also.
Start up GPA (Start -> Programs -> GnuPG for Windows)
Click on your key
Click Export button and give it a file name
Your key will be saved to a file.
This file can then be emailed to anyone you choose. These files are meant to be public and do not have any sensitive information.
4. Importing keys from other users
Start up GPA (Start -> Programs -> GnuPG for Windows)
Click Import button
You’ll be asked for a file to import keys from. Select the file and click OK
Now the newly imported key will show up in your keyring.
Save to Browser Favorites
Ask
backflip
blinklist
BlogBookmark
Bloglines
BlogMarks
Blogsvine
BUMPzee!
CiteULike
co.mments
Connotea
del.icio.us
DotNetKicks
Digg
diigo
dropjack.com
dzone
Facebook
Fark
Faves
Feed Me Links
Friendsite
folkd.com
Furl
Google
Hugg
Jeqq
Kaboodle
linkaGoGo
LinksMarker
Ma.gnolia
Mister Wong
Mixx
MySpace
MyWeb
Netvouz
Newsvine
PlugIM
popcurrent
Propeller
Reddit
Rojo
Segnalo
Shoutwire
Simpy
sk*rt
Slashdot
Sphere
Sphinn
Spurl.net
Squidoo
StumbleUpon
Technorati
ThisNext
Webride
Windows Live
Yahoo!
Email This to a Friend
If you like this then please subscribe to the