Anti-XSS library - Use with ASP .Net website (vs. web application)?
The results of a security audit revealed that our site 开发者_运维知识库may be vulnerable to XSS attacks. Currently the only protection we have against this is by using the default ValidateRequest="true" on all pages. I have been looking into Microsoft's Anti-XSS library and after watching this video I would like to implement the Security Runtime Engine Module to protect all pages rather than manually encoding each individual item [1].
The problem I am having is generating the antixssmodule.config file using the SRE configuration generator. It is looking for an assembly but our site is built using a Website project and not a Web Application project and is therefor not built into an assembly. Am I still able to generate the config file somehow so that I can use SRE, or perhaps there is a download-able version of this file with the commonly exploited controls already defined?
[1] I also can't use the CAT.NET tool to discover all possible vulnerabilities because that tool is looking for an assembly also.
Basically no, you can't generate without a target assembly, so website projects won't work. You could, of course, use the default web.config which gets all the Microsoft web controls (I believe).
However, the SRE is meant as a patch around vulnerable web sites until you can get them fixed, it's not a permanent solution. A better approach would be to address the underlying issues and make sure you're encoding all untrusted input before outputting it to the browser.
精彩评论