Skip to main content

Cross site scripting (XSS) links to information

Useful resources explaining Cross Site Scripting (XSS) and how to code/guard against it.

CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html

Cross-site Scripting (XSS)
http://www.owasp.org/index.php/Cross-site_scripting

Data Validation
http://www.owasp.org/index.php/Data_Validation

Reviewing Code for Cross-site scripting
http://www.owasp.org/index.php/Review_Code_for_Cross-site_scripting

XSS (Cross Site Scripting) Prevention Cheat Sheet
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

OWASP Enterprise Security API
"OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers. "
http://www.owasp.org/index.php/ESAPI

MS AntiXSS
"AntiXSS 3.0 helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine. Working with customer and partner feedback, AntiXSS 3.0 incorporates radically and innovatively rethought features, offering you a newer, more powerful weapon against the often employed cross-site scripting (XSS) attack."
http://www.codeplex.com/AntiXSS

Comments

Popular posts from this blog

Take website screenshot using ASP.NET

Utilising a hidden web browser control it is possible to take a screenshot of any website. The code shown below is based on an article at plentyofcode.com  (sorry the site now appears to be offline May 2012) but I have translated it from VB.NET to C# and will work in .NET so theoretically for any Windows or ASP.NET web project. using System; using System.Drawing; using System.Drawing.Imaging; using System.Windows.Forms; using System.Diagnostics; namespace WebsiteScreenshot { public class GetImage { private int s_Height; private int s_Width; private int f_Height; private int f_Width; private string myURL; public int ScreenHeight { get { return s_Height; } set { s_Height = value; } } public int ScreenWidth { get { return s_Width; } set { s_Width = value; } } public int ImageWidth { get { return f_Width; } set { f_Width = value; } } public int ImageHeight { get { return f_Height; } set { f_Height = value; } } public string Websit

Ad hoc access to OLE DB provider has been denied

Using post SP2 SQL 7 (+ 2000 etc) attempting to access an OLEDB data source using OPENROWSET can produce the slightly spurious error: Ad hoc access to OLE DB provider 'MSDASQL' has been denied. You must access this provider through a linked server. In usual Microsoft style the message doesn't really mean what it says. From SQL 7 SP2 onwards MS by default blocked ad hoc query access with OLEDB. As the message suggests you could setup a linked server but that can be a real pain. Alternatively if you need ad hoc access server wide you could turn on ad hoc access for the SQL server you are using, explained in MS speak here: http://support.microsoft.com/default.aspx?kbid=266008 Ah, but it's not that simple. A little more witchcraft is required. The following registry settings can be used to enable ad hoc access: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers] "DisallowAdhocAccess"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLSer

Compress and de-compress strings in C#

A collection of resources on compressing and encrypting strings in C#. Microsoft documentation on the System.IO.Compression.GZipStream class: http://msdn.microsoft.com/en-us/library/system.io.compression.gzipstream.aspx Helpful example class utilising GZip: http://www.csharphelp.com/2007/09/compress-and-decompress-strings-in-c/ The GZipStream class is predominantly used for file compression but can be used efficiently for compressing strings of 300-400 characters or more. Below 300 characters there isn’t any measurable gain from the compression and for particularly short strings the compressed version may in fact be larger. Class provided by C Sharp Help : using System.IO.Compression; using System.Text; using System.IO; public static string Compress(string text) {     byte[] buffer = Encoding.UTF8.GetBytes(text);     MemoryStream ms = new MemoryStream();     using (GZipStream zip = new GZipStream(ms, CompressionMode.Compress,