Skip to content

Home

Ziya SARIKAYA edited this page Jul 17, 2014 · 5 revisions
Clone this wiki locally

ProceXSS is a Asp.NET Http module for preventing xss attacks.

Basic usage

Add following line below the node in web.config file

<section name="antiXssModuleSettings" type="ProceXSS.Configuration.XssConfigurationHandler, ProceXSS"/>

and Add the following configurations below the node ,

<antiXssModuleSettings redirectUrl="/home" log="False" mode="Ignore" isActive="True"
controlRegex="(javascript[^*(%3a)]*(\%3a|\:))
|(\%3C*|\&lt;)[\/]*script|(document[\.])
|(window[^a-zA-Z_0-9]*[\%2e|\.])|
(setInterval[^a-zA-Z_0-9]*(\%28|\())
|(setTimeout[^a-zA-Z_0-9]*(\%28|\())|(alert[^a-zA-Z_0-9]*(\%28|\())|
eval[^a-zA-Z_0-9]*(\%28|\()|(((\%3C) &lt;)[^\n]+((\%3E) &gt;))">
    <excludeUrls>
      <add name="url1" value="/"/>
      <add name="url2" value="/default.aspx"/>
    </excludeUrls>
</antiXssModuleSettings>

There is a two option for mode property. These are Ignore and Redirect. When the redirect mode is active system will redirect the request to value of RedirectUri.

Nuget package creates XSSConfig.cs to App_Start folder to register module dynamically.

[assembly: PreApplicationStartMethod(typeof(XSSConfig), "Start")]
namespace AcmeWeb.WebForms
{
    public class XSSConfig
    {
        public static void Start()
        {
            Microsoft.Web.Infrastructure
                         .DynamicModuleHelper
                         .DynamicModuleUtility.RegisterModule(typeof(ProceXSSModule));
        }
    }
}

Or add the following configurations below

<add name="ProceXSSModule" type="ProceXSS.ProceXSSModule, ProceXSS, Version=your assembly version, Culture=neutral" />

IMPORTANT: Log feature uses a NLog. If log feature is active, to do this have to set NLog configuration. NLog documentation available on http://nlog-project.org/wiki/

For more detailed information about XSS visit owasp web site

Something went wrong with that request. Please try again.