14 DAY TRIAL // Microsoft is cooking the next iteration of the Anti-Cross Site Scripting Library, promising that the first Community Technology Preview will be made available soon. No definitive availability date was made public at the time of this article, but Anil Revuru, Senior SDE, Information Security Tools team, did share some details about the evolution of the Anti-XSS Library. A key aspect of this evolution is the fact that the security resource is no longer focused exclusively on anti-cross site scripting. In this regard, Microsoft has rebranded the old Anti-XSS Library as the Web Protection Library or WPL.
Revuru explained that the Web Protection Library label was designed to illustrate the new mitigations added to the Anti-XSS Library and Security Runtime Engine (SRE). “WPL now includes encoding methods to provide mitigations around LDAP Injection and CSS Injections (Cascading Style Sheets) with several others planned for the future. The runtime protection module includes a new HTTP Module that detects and protects from SQL Injection attempts using a specialized SQL Parser to detect any valid SQL queries in the input,” Revuru stated.
Moving forward, Microsoft is advising developers that are leveraging ASP.NET in order to build websites to turn to Web Protection Library 1.0 in order to kick up a notch the security of their code. Until now, the Anti-XSS Library was the resource offered by the Redmond company for protection against cross site scripting attacks. The WPL CTP is designed to gather feedback from the developer community. According to the software giant, WPL CTL download links will be live in the next couple of weeks. Anti-Cross Site Scripting Library 3.0 RTM was offered in mid-2009.
Revuru supplied: “1 quick summary of changes in Web Protection Library v1.0:
- New Encoder and Sanitizer classes provide encoding and sanitization functionality respectively; - AntiXss class is marked as obsolete, now generates a warning when compiled using AntiXss but methods work the same for backwards compatibility; - Updated Anti-XSS Module to increase performance; - New SQL Injection detection module to detect SQL Queries in input; - Completely redesigned configuration UI which provides easy editing of configuration files directly from within Visual Studio; - Merged configuration files into sing web.config. Separate antixssmodule.config is not required anymore; - SRE exposes an extensibility API which can be used to build new mitigations.”
Microsoft Anti-Cross Site Scripting Library V3.0 is available for download here.