Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Microsoft Anti-Cross Site Scripting Library V1.5 is Released
Posted by: raptor
Date: November 22, 2006 01:14AM

from http://blogs.msdn.com/ace_team/archive/2006/11/20/microsoft-anti-cross-site-scripting-library-v1-5-is-done.aspx

Top 5 Reasons Why You Should Upgrade

Migrating to V1.5 will require a few steps on your part, but here are the top reasons why you should upgrade to this version:

* Reason #1 - More Encoding Methods: Encoding methods for JavaScript, Visual Basic Script, XML and more will be included to provide even more protection against XSS attacks.

* Reason #2 - Allow Partially Trusted Caller Attribute (APTCA) Support: The new library can be deployed in least privileged scenarios (that's a good thing!). There are certainly ways APTCA can be abused when not implemented properly so we’ve taken steps to limit that possibility such as using things like the SecurityTransparent (2.0 only), RequestMinimum and RequestOptional attributes.

* Reason #3 - Improved Documentation, Sample Applications and Tutorials: Version 1.0 contained some examples of implementations of the library; however what was missing was pragmatic tutorials on how to implement the library properly. Along side this release you’ll find a tutorial on how to implement the library, along with a simple technique for determining if data requires encoding or not at http://msdn2.microsoft.com/en-us/library/aa973813.aspx (we already know about the image rendering issue and it's getting fixed =P). Finally you’ll notice that the documentation for V1.5 has also been significantly improved.

* Reason #4 - A Much Clearer and Flexible End User License Agreement (EULA): The EULA included with V1.0 was confusing and did not allow the library to be deployed in production environments. V1.5’s EULA is much clearer and provides the ability to deploy into production environments.

* Reason #5 – Easy Upgrade Path for V1.0 Users: Users developing on top of the V1.0 release can easily migrate to V1.5. The old namespace used in V1.0 is supported in V1.5 and so V1.0 users should find migration relatively transparent.

Options: ReplyQuote
Re: Microsoft Anti-Cross Site Scripting Library V1.5 is Released
Posted by: rsnake
Date: November 22, 2006 10:12AM

Lots of encoding methods listed but what about CSS obfuscation, and selected encoding issues? Has anyone actually tried this?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Microsoft Anti-Cross Site Scripting Library V1.5 is Released
Posted by: Kyran
Date: November 22, 2006 12:18PM

Not yet, but my friend is a .NET developer for Gallup and is beginning to get interested in security. I'll be sure to do some collab with him in the near future.

- Kyran

Options: ReplyQuote
Re: Microsoft Anti-Cross Site Scripting Library V1.5 is Released
Posted by: rsnake
Date: November 22, 2006 01:23PM

Let me know how it goes, or if he wants to set up a few sample sites that we can test. I'd love to see the results from that one. Definitely news worthy one way or another.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.