0

The results of a security audit revealed that our site may be vulnerable to XSS attacks. Currently the only protection we have against this is by using the default ValidateRequest="true" on all pages. I have been looking into Microsoft's Anti-XSS library and after watching this video I would like to implement the Security Runtime Engine Module to protect all pages rather than manually encoding each individual item [1].

The problem I am having is generating the antixssmodule.config file using the SRE configuration generator. It is looking for an assembly but our site is built using a Website project and not a Web Application project and is therefor not built into an assembly. Am I still able to generate the config file somehow so that I can use SRE, or perhaps there is a download-able version of this file with the commonly exploited controls already defined?

[1] I also can't use the CAT.NET tool to discover all possible vulnerabilities because that tool is looking for an assembly also.

blowdart
  • 55,577
  • 12
  • 114
  • 149
Jay
  • 1,286
  • 2
  • 11
  • 20

1 Answers1

2

Basically no, you can't generate without a target assembly, so website projects won't work. You could, of course, use the default web.config which gets all the Microsoft web controls (I believe).

However, the SRE is meant as a patch around vulnerable web sites until you can get them fixed, it's not a permanent solution. A better approach would be to address the underlying issues and make sure you're encoding all untrusted input before outputting it to the browser.

blowdart
  • 55,577
  • 12
  • 114
  • 149