AppSec Blog

ASP.Net 4: Change the Default Encoder

In ASP.Net 4.0, Microsoft added the ability to override the default encoder. This is specifically focused on the HTMLEncode, HTMLAttributeEncode, and URLEncode functionality. These functions are used, in the eyes of security, to help mitigate cross-site scripting (XSS). The problem with the built in .Net routines is that they are built on a black-list methodology, rather than a white-list methodology. The built in routines use a very small list of characters that get encoded. For example, the .Net version of HTMLEncode encodes the following characters: <,>,",&. The Microsoft Web Protection Library (previously known as the Anti-XSS Library) instead determines all characters that don't need encoding, a-z0-9 for example, and then encodes all the rest. This is a much safer approach to encoding.

In this post, I will show you how to use the Web Protection Library as the default encoder for an ASP.Net 4.0 application. The first step is to download the Web Protection Library. In this example, I use version 4.0 which can be found at: http://wpl.codeplex.com/.

Next, you will need to have an application to implement this. You can use an existing application, or create a new one. Add a reference to the AntiXSSLibrary.dll found in" Program Files\Microsoft Information Security\AntiXSS Library v4.0".

To use the library, it is time to create a new class. You can see the code in my class in Figure 1. I named the class "MyEncoder" and this is just a sample. (THIS IS NOT PRODUCTION CODE) There are two important factors to this class:

1. The class must inherit from System.Web.Util.HttpEncoder.

2. You must override each Encode Method you want to change.

If you only wanted to update the HTMLEncode and leave the other methods alone, just leave them out of the class.

Figure 1
using System; using System.Web; public class MyEncoder : System.Web.Util.HttpEncoder { public MyEncoder(){} protected override void HtmlEncode(string value, System.IO.TextWriter output) { if (null == value) return; output.Write(Microsoft.Security.Application.Encoder.HtmlEncode(value)); } protected override void HtmlAttributeEncode(string value, System.IO.TextWriter output) { if (null == value) return; output.Write(Microsoft.Security.Application.Encoder.HtmlAttributeEncode(value)); } }

The final step to implementing this custom encoding is to update the web.config file. To do this, modify your httpRuntime element to have the "encoderType" attribute set, as seen in Figure 2. Change "MyEncoder" to the name of the class you created. If you do not have the httpRuntime element, just add it in.

Figure 2
<system.web> <compilation debug="true" targetFramework="4.0"/> <httpRuntime encoderType="MyEncoder"/> .....

Although it would be really nice if the .Net Framework would just start using the Web Protection Library, they are just not ready for that yet. It is important that plenty of testing is always done when working with output encoding. Different encoders produce different outputs and may cause display defects. It is also important to note that this only effects items that get auto-encoded by the framework. For example, a text property of a textbox.

This is just a small example of modifying the default encoding type of your application. There is much more that you could potentially do with this. This is just a sample and this code is NOT FOR PRODUCTION USE.

James Jardine is a principal consultant with Jardine Software. James has over 10 years of experience developing software. His main focus is on Microsoft .Net technologies and secure development. You can read more from James at http://www.jardinesoftware.net.

Post a Comment






Captcha


* Indicates a required field.