The circle of life – ** .Net – Training – MOSS **

  • Past Post

  • Vistor Locations

  • Advertisements

ASP.NET XSS Security

Posted by Clayton James on June 17, 2006

I was recently going over some security issues for web applications. The discussion came up about Cross-site scripting (XSS). If you don't know what XSS is then you can read about it here.

I, like many others, were under the impression that ASP.NET 1.1 eliminated XSS issues with a simple attribute called validateRequest that can be set in the page directive or web.config. Setting this to true (which is the default) basically means that you are same from potentially malicious input – particularly anything that looks like HTML or scripting that form the basis for many types of attacks.

However, this is not the case as Andrew Duthie points out here. Now, this blog post only refers to ASP.NET 1.1 and I couldn't find any solid information about vulnerabilities with validaterequest and ASP.NET 2.0. However, I shouldn't take it for granted even if this issue is fixed. I couldn't agree more with Andrew Duthie's quote below.

"… you should always treat input appropriately, regardless of any built-in features. This means always providing your own filtering and/or (preferably and) encoding of input your application accepts. "

While doing some research I came across a good Microsoft article about a range of security issues which is definitely worth a read if you are building secure ASP.NET applications.

I also came across a Microsoft anti-xss tool that is supported by all .net frameworks. You can read about it on Dan Seller's blog which has a link to download the tool.

Microsoft Anti-Cross Site Scripting Library V1.0

This download contains the redistributable files for the Microsoft Application Security Anti-Cross Site Scripting Library. The Anti-Cross Site Scripting Library can be used to provide comprehensive protection to Web-based applications against Cross-Site Scripting (XSS) attacks.


  • Supported Operating Systems: Windows 2000; Windows Server 2003; Windows XP
  • .NET Framework: 2.0, 1.1 or 1.0



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: