.net - Preventing XSS attacks across site -

-

i need review quite large .net 4.0 project , re-factor prevent xss attacks. first thing did turn on requestvalidation site, there else can @ global level or going case of trawling through every page, validating input , html encoding output.

there lots of pages, , 300 classic asp pages still in use.

is htmlencode() safe use or need install microsofts antixss package.

requestvalidation approach.

  1. at global level 1 more thing can think of enabling x-xss-protection header @ http responses. easy implement , gives native defences browser (ie 8+, chrome) has offer based on xss patterns. x-xss-protection: 1; mode=block

  2. you may @ content-security-policy, think in scenario may big roll out entire site.

those think of http header based xss mitigations. generic , not apply asp.net.

answering other question is htmlencode() safe use or need install microsofts antixss package what benefit make encodertype antixssencoder in mvc application?

antixssencoder uses whitelist approach identify malicious inputs [inputs result in cross site scripting (xss)].

the default encoder in asp.net uses blacklist approach.

both output encoding on data. security standpoint whitelist based approach should preferred on blacklist approach identifying malice.

excerpt http://weblogs.asp.net/jongalloway/using-antixss-4-1-beta-as-the-default-encoder-in-asp-net

1.antixss inherently more secure due using whitelist approach. many security audits , certifications require use whitelist xss encoder because blacklist potentially vulnerable unknown attacks.

2.newer browsers have better xss filtering built in, there vulnerabilities in older browser (e.g. utf-7 charset switch) wouldn't detected picked asp.net default encoder.


Comments

Post a Comment

Popular posts from this blog

java - Oracle EBS .ClassNotFoundException: oracle.apps.fnd.formsClient.FormsLauncher.class ERROR -

-
i need in configuring java on machine because, when try loading forms, loader goes in circles , gives error: java.lang.classnotfoundexception: oracle.apps.fnd.formsclient.formslauncher.class @ sun.plugin2.applet.applet2classloader.findclass(unknown source) @ sun.plugin2.applet.plugin2classloader.loadclass0(unknown source) @ sun.plugin2.applet.plugin2classloader.loadclass(unknown source) @ sun.plugin2.applet.plugin2classloader.loadclass(unknown source) @ java.lang.classloader.loadclass(unknown source) @ sun.plugin2.applet.plugin2classloader.loadcode(unknown source) @ sun.plugin2.applet.plugin2manager.createapplet(unknown source) @ sun.plugin2.applet.plugin2manager$appletexecutionrunnable.run (unknown source) @ java.lang.thread.run(unknown source) i have tried re-installing firefox, older versions of java runtime environments, disabling proxy. what missing? application working on other machines. i spent around 100 hours finding s
Read more

c# - how to use buttonedit in devexpress gridcontrol -

-
Image
i trying create gridcontrol buttonedit in 1 of columns. when user clicks button edit, popups form select product. when selection done on popup, returns datarow selection main grid below. but when column loses focus, value wrote column disappear. here code creates gridcontrol's data , buttonedit's click event. private void frmsiparisnew_load(object sender, eventargs e) { dt = new datatable(); dt.columns.add("malzeme_kodu",typeof(string)); dt.columns.add("malzeme_aciklama", typeof(string)); dt.columns.add("adet", typeof(decimal)); dt.columns.add("birim", typeof(string)); dt.columns.add("fiyat", typeof(decimal)); dt.columns.add("kur", typeof(string)); dt.columns.add("tutar", typeof(decimal)); datarow dr = dt.newrow(); dt.rows.add(dr); gc.datasource = dt; } private void repositoryitembuttoneditmal
Read more

nvd3.js - angularjs-nvd3-directives setting color in legend as well as in chart elements -

-
good morning i using angularjs-nvd3-directives, great, having difficulties when setting color of multi bar chart ( http://cmaurer.github.io/angularjs-nvd3-directives/multi.bar.chart.html ). the show legend works well: <div ng-controller="examplectrl"> <nvd3-multi-bar-chart data="exampledata" id="showlegendexample" width="550" height="300" showxaxis="true" showyaxis="true" xaxistickformat="xaxistickformatfunction()" showlegend="true"> <svg></svg> </nvd3-multi-bar-chart> </div> but when add option in conjunction color="colorfunction()" where, var colorarray = ['#ff0000', '#0000ff', '#ffff00', '#00ffff']; $scope.colorfunction = function() { return function(d, i) { return colorarray[i]; }; } the color of cha
Read more