Microsoft AntiXSS Library v4.2.1
advertisement
Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 An Epic Tale Of AntiXSSLibrary By Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 •There once was a cross sight scripting security package named Microsoft AntixssLibrary v3.1. •This Library contained three sections that worked well together and their names where: •AntiXSSLibary •Sanitizer •Security Run Time Engine •Now, Sanitizer and SRE ran using the AntiXSSLibrary. •AntiXSSLibrary can be used to encode outputs on websites to prevent XSS. •Sanitizer is used to clean up HTML output and allow safe outputs to run. •SRE is used to wrap a old or current website to encode its outputs at runtime. •This package was great and everyone was happy. :) •Then one day Microsoft released AntiXSSLibrary v4.2.1. :( and things have never been the same. Microsoft AntiXSS Library v4.2.1 •AntiXss 4.2 Breaks everything February 13, 2012 by eksith •"This is one of those situations where none of your available options are good and your least harmful alternative is to shoot yourself in the foot at a slightly odd angle so as to only loose the little toe and not the big one". •"All of this happened when Microsoft revealed January that their AntiXss library, now known as the Microsoft Web Protection Library (never seen a more ironic combination of words), had a vulnerability and like all obedient drones, we must update immediately to avoid shooting ourselves in our big toe. The problem is that updating will cause you to loose your little toe". •"You see, the new library BREAKS EVERYTHING and eats your children." •"I was using an old version of Anti-XSS with a rich text editor (CkEditor). It was working very great. But when upgrading to latest version, I discovered the new sanitized is way too much aggressive and is removing almost everything “rich” in the rich editor, specially colors, backgrounds, font size, etc… It’s a disaster for my CMS!" CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 Reviews: •"Wow - this thing is a total fail." •"Too aggressive when it removes html elements" •"Still no fix in place for properly processing Rich Text applications" •"This version regressed the usability of the library to the point of making it useless" •"Strips all A and B tags, useless" •"Totally broken." •"Very poor." •"The HTML sanitizer in this release is pretty much worthless" •"breaks compatibility with WYSIWYG HTML editors." •"This release strips out all ref tags in an anchor tag." •"The 4.2 is NOT backwards compatible with the previous releases. It's filtering is far too aggressive" Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 •The well spun lies: •"The Microsoft Web Protection Library (WPL) is a set of .NET assemblies which will help you protect your web sites, current, future and past." •White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. •Whilst this comes at a performance cost AntiXSS has been written with performance in mind. •Anti-XSS now protects against XSS attacks coded in dozens of languages. •The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. •The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. •Cross Site Scripting •SQL Injection •framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 •The Truth: •SRE A.K.A. AntiXSSModule is not currently being supported, and currently does not work with .NET 4.0 yet (5/27/12) •For an example of SRE protection see the book "Beginning ASP.Net Security" pages 50-51, they show you how it use to work. •Sanitizer is way to aggressive at removing possibly harmful tags, which makes it almost useless. •So, Microsoft moved it into it's own library so the user has a choice to reference it or not. •The following is an epic tale of loading and testing the AntiXSSLibrary v4.2.1 Microsoft AntiXSS Library v4.2.1 •Download from the following: http://www.microsoft.com/en-us/download/search.aspx?q=antixss CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 •Run Antixss 4.2.1.msi install wizard: •Nothing unusual. CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 •What was download: •No SRE file? CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 •Visual Studios: •Ch03_Code\Sa mples\AntiXSS UsageSample CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 •Web.config: •The AntiXssModule has to do with the SRE wrapper module, so I deleted it from the "bin" folder and removed the following from the Web.config: •<httpModules> <add name="AntiXssModule" type="Microsoft.Security.Application.SecurityRuntimeEngine.AntiXssModule"/> </httpModules> •Then the application AntiXSSUsageSample worked. So I tried <script>alert("Hello World")</script> CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 •Issues Testing, Default input validation: CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 •Bypass Visual Studios Default request Validation to test AntiXSS Library: •In web.config add the following lines: •<httpRuntime requestValidationMode="2.0" /> •<pages validateRequest="false"/> CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 •Successfully hacked! •Difference between Validation and AntiXSSLibrary: •Antixsslibrary is a dll you add in the bin, it has libraries to cleanse input code since things like server.html encode are not enough to keep good hackers at bay....the validate request is to see if there is potential for injections (among other things). •You could say one cleanses and the other detects Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 •Web.config: •Add <httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/> if you want to make AntiXSSLibary your default encoder. •Copy AntiXSSLibrary.dll to the projects "bin" folder. Microsoft AntiXSS Library v4.2.1 •More Issues: •Right mouse button on References and Browse to the AntiXSSLibrary.dll to add to the references. CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 •Encoder works well: This function is Deprecated. Newer function call. CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 CSC699 Hans Hagen 5/29/12 •Sanitizer.GetSafeHtmlFragment issue: •Sanitizer is not in the name space •"The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and the ability to run unsafe code" Microsoft AntiXSS Library v4.2.1 •Sanitizer Works! •Tried <b>Flowers</b>, roses, plants &amp; gift baskets delivered. Order <b>flowers</b> from CSC699 Hans Hagen 5/29/12 Microsoft AntiXSS Library v4.2.1 •The epic adventure ends. •AntiXSSLibrary v3.1 worked great. •AntiXSSLibrary v4.2.1 needs a lot of help. Questions? CSC699 Hans Hagen 5/29/12
