ASP.NET Cross Site Scripting (XSS) Protection

I have been doing some looking lately at the feasibility of filtering HTTP traffic that is junk – kind of like spam filters try to get traffic that is email spam off the wire.  This stems from some spirited mailing list debates about the value of mod_security and application firewalls in general.  The problems are different, but there may be some interesting commonalities.

One interesting example of this is ASP.NET PageValidation routine that helps to detect and stop certain cross site scripting (XSS) patterns.  This filtering isn’t perfect by any means, but it does help to get provide at least a base level of filtering of traffic that is almost surely malicious and applications have to “opt in” before they can receive traffic matching their filter patterns.

dan _at_

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *