Microsoft AntiXSS Library v4.2.1

Report
Microsoft AntiXSS Library v4.2.1
CSC699
Hans Hagen
5/29/12
An Epic Tale Of AntiXSSLibrary
By Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
CSC699
Hans Hagen
5/29/12
•There once was a cross sight scripting security package named Microsoft AntixssLibrary
v3.1.
•This Library contained three sections that worked well together and their names where:
•AntiXSSLibary
•Sanitizer
•Security Run Time Engine
•Now, Sanitizer and SRE ran using the AntiXSSLibrary.
•AntiXSSLibrary can be used to encode outputs on websites to prevent XSS.
•Sanitizer is used to clean up HTML output and allow safe outputs to run.
•SRE is used to wrap a old or current website to encode its outputs at runtime.
•This package was great and everyone was happy. :)
•Then one day Microsoft released AntiXSSLibrary v4.2.1. :( and things have never been
the same.
Microsoft AntiXSS Library v4.2.1
•AntiXss 4.2 Breaks everything February 13, 2012 by eksith
•"This is one of those situations where none of your available
options are good and your least harmful alternative is to
shoot yourself in the foot at a slightly odd angle so as to only
loose the little toe and not the big one".
•"All of this happened when Microsoft revealed January that
their AntiXss library, now known as the Microsoft Web
Protection Library (never seen a more ironic combination of
words), had a vulnerability and like all obedient drones, we
must update immediately to avoid shooting ourselves in our
big toe. The problem is that updating will cause you to loose
your little toe".
•"You see, the new library BREAKS EVERYTHING and eats
your children."
•"I was using an old version of Anti-XSS with a rich text editor
(CkEditor). It was working very great. But when upgrading to
latest version, I discovered the new sanitized is way too
much aggressive and is removing almost everything “rich”
in the rich editor, specially colors, backgrounds, font size,
etc… It’s a disaster for my CMS!"
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
CSC699
Hans Hagen
5/29/12
Reviews:
•"Wow - this thing is a total fail."
•"Too aggressive when it removes html elements"
•"Still no fix in place for properly processing Rich Text applications"
•"This version regressed the usability of the library to the point of making it useless"
•"Strips all A and B tags, useless"
•"Totally broken."
•"Very poor."
•"The HTML sanitizer in this release is pretty much worthless"
•"breaks compatibility with WYSIWYG HTML editors."
•"This release strips out all ref tags in an anchor tag."
•"The 4.2 is NOT backwards compatible with the previous releases. It's filtering is far
too aggressive"
Microsoft AntiXSS Library v4.2.1
CSC699
Hans Hagen
5/29/12
•The well spun lies:
•"The Microsoft Web Protection Library (WPL) is a set of .NET assemblies which will
help you protect your web sites, current, future and past."
•White Lists: AntiXSS differs from the standard .NET framework encoding by using a
white list approach. All characters not on the white list will be encoded using the
correct rules for the encoding type.
•Whilst this comes at a performance cost AntiXSS has been written with
performance in mind.
•Anti-XSS now protects against XSS attacks coded in dozens of languages.
•The Security Runtime Engine (SRE) provides a wrapper around your existing web
sites, ensuring that common attack vectors to not make it to your application.
•The Security Runtime Engine (SRE) provides a wrapper around your existing web
sites, ensuring that common attack vectors to not make it to your application.
•Cross Site Scripting
•SQL Injection
•framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0
Microsoft AntiXSS Library v4.2.1
CSC699
Hans Hagen
5/29/12
•The Truth:
•SRE A.K.A. AntiXSSModule is not currently being supported, and currently does
not work with .NET 4.0 yet (5/27/12)
•For an example of SRE protection see the book "Beginning ASP.Net Security" pages
50-51, they show you how it use to work.
•Sanitizer is way to aggressive at removing possibly harmful tags, which makes it
almost useless.
•So, Microsoft moved it into it's own library so the user has a choice to reference it
or not.
•The following is an epic tale of loading and testing the AntiXSSLibrary v4.2.1
Microsoft AntiXSS Library v4.2.1
•Download from the following:
http://www.microsoft.com/en-us/download/search.aspx?q=antixss
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
•Run Antixss 4.2.1.msi install wizard:
•Nothing unusual.
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
•What was download:
•No SRE file?
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
•Visual Studios:
•Ch03_Code\Sa
mples\AntiXSS
UsageSample
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
•Web.config:
•The AntiXssModule has to do with the SRE wrapper module, so I deleted it from the
"bin" folder and removed the following from the Web.config:
•<httpModules> <add name="AntiXssModule"
type="Microsoft.Security.Application.SecurityRuntimeEngine.AntiXssModule"/>
</httpModules>
•Then the application AntiXSSUsageSample worked. So I tried <script>alert("Hello
World")</script>
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
•Issues Testing, Default input validation:
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
•Bypass Visual Studios Default request Validation to test AntiXSS Library:
•In web.config add the following lines:
•<httpRuntime requestValidationMode="2.0" />
•<pages validateRequest="false"/>
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
CSC699
Hans Hagen
5/29/12
•Successfully hacked!
•Difference between Validation and AntiXSSLibrary:
•Antixsslibrary is a dll you add in the bin, it has libraries to cleanse input code since
things like server.html encode are not enough to keep good hackers at bay....the
validate request is to see if there is potential for injections (among other things).
•You could say one cleanses and the other detects
Microsoft AntiXSS Library v4.2.1
CSC699
Hans Hagen
5/29/12
•Web.config:
•Add <httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder,
AntiXssLibrary"/> if you want to make AntiXSSLibary your default encoder.
•Copy AntiXSSLibrary.dll to the
projects "bin" folder.
Microsoft AntiXSS Library v4.2.1
•More Issues:
•Right mouse button on
References and Browse to the
AntiXSSLibrary.dll to add to the
references.
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
•Encoder works well:
This function is Deprecated.
Newer function call.
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
CSC699
Hans Hagen
5/29/12
•Sanitizer.GetSafeHtmlFragment issue:
•Sanitizer is not in the name space
•"The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have
been moved to a separate assembly. This enables the AntiXssLibrary assembly to
run in medium trust environments, a common user request. If you wish to use the
Html Sanitization library you must now include the HtmlSanitizationLibrary
assembly. This assembly requires full trust and the ability to run unsafe code"
Microsoft AntiXSS Library v4.2.1
•Sanitizer Works!
•Tried <b>Flowers</b>, roses, plants &amp; gift baskets delivered. Order
<b>flowers</b> from
CSC699
Hans Hagen
5/29/12
Microsoft AntiXSS Library v4.2.1
•The epic adventure ends.
•AntiXSSLibrary v3.1 worked great.
•AntiXSSLibrary v4.2.1 needs a lot of help.
Questions?
CSC699
Hans Hagen
5/29/12

similar documents