14 DAY TRIAL // A Microsoft resource designed to help developers protect their ASP.NET web-based applications from cross-site scripting attacks has been released to manufacturing. Anil Revuru, from the Information Security Tools team, explained that, with the RTM of the Anti-Cross Site Scripting Library version 3.0, Microsoft had also released the library to web. Anti-XSS Library 3.0 went live on the Microsoft Download Center on July 14th, 2009, and is currently available for download for all ASP.NET developers looking to bulletproof their Cloud apps against XSS.
Revuru revealed the “new features in this version of the Microsoft Anti-Cross Site Scripting Library [including]: an expanded white list that supports more languages; performance improvements; performance data sheets (in the online help); support for Shift_JIS encoding for mobile browsers; security Runtime Engine (SRE) HTTP module; MSDN style help; a sample application.”
Microsoft indicated that Anti-XSS 3.0 was capable of not only offering protection against cross-site scripting attacks for newer apps, but also of securing legacy applications with the Security Runtime Engine. Revuru noted that the RTM version of Anti-XSS 3.0 delivered no actual changes for the library itself. In this regard, the new binaries are fully compatible with those of the Beta versions. Developers already implementing Anti-XSS 3.0 are advised to simply swap the previous binary with the new RTM binaries.
“The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique – sometimes referred to as the principle of inclusions – to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes,” Microsoft said.
Microsoft Anti-Cross Site Scripting Library V3.0 is available for download here.