O2 Script: AntiXSS – Test multiple Encodings
On the topic of AntiXSS here is a script I wrote ages ago called “AntiXSS – Test multiple Encodings.h2″ which shows quickly the different behaviours of the different .NET encoding APIs:
Here is the source of this script:
var topPanel = O2Gui.open<Panel>("AntiXSS and HttpUtility encodings", 600,300);
var result = topPanel.add_TextArea();
Action<string> showEncodings =
(textToEncode)=>{
result.set_Text("");
result.append_Line("AntiXss.HtmlEncode -> {0}".format(AntiXss.HtmlEncode(textToEncode)));
result.append_Line("------------------------");
result.append_Line("AntiXss.UrlEncode -> {0}".format(AntiXss.UrlEncode(textToEncode)));
result.append_Line("------------------------");
result.append_Line("AntiXss.JavascriptEncode -> {0}".format(AntiXss.JavaScriptEncode(textToEncode)));
result.append_Line("------------------------");
result.append_Line("System.Web.HttpUtility.HtmlEncode -> {0}".format(System.Web.HttpUtility.HtmlEncode(textToEncode)));
result.append_Line("------------------------");
result.append_Line("System.Web.HttpUtility.UrlEncode -> {0}".format(System.Web.HttpUtility.UrlEncode(textToEncode)));
result.append_Line("------------------------");
result.append_Line("Original string (unencoded) -> {0}".format(textToEncode));
result.append_Line("------------------------");
};
var testPayload = "abc 123 \" ' < > \n : ; ".line() + "After an Enter";
result.insert_Above<Panel>(20)
.add_LabelAndTextAndButton("Payload", testPayload, "convert", showEncodings);
showEncodings(testPayload);
//return AntiXss.HtmlEncode(payload);
//return "AntiXSSLibrary.dll".assembly().methods();
//using Microsoft.Security.Application
//O2Ref:AntiXSSLibrary.dll
O2 Script with Web Encoder and Decoder (with AntiXss Support)
A couple days ago I needed to do a number of Encodings/Decodings in sequence (Encoded Text -> UrlDecode -> UrlDecode-> HtmlDecode), and since there was no easy way to do that automatically with other tools, I wrote the “Util – Web Encoder (with AntiXss Support).h2″ script which looks like this:
Here is the method that runs the transformation (and show what is currently supported)
Func<string,string, string> applyTransformation =
(type, text)=>{
if (type.valid() && text.valid() )
{
switch(type)
{
case "none": break;
case "HtmlDecode": return text.htmlDecode();
case "HtmlEncode": return text.htmlEncode();
case "UrlDecode": return text.urlDecode();
case "UrlEncode": return text.urlEncode();
case "AntiXss.HtmlEncode": return Encoder.HtmlEncode(text);
case "AntiXss.UrlEncode": return Encoder.UrlEncode(text);
case "AntiXss.JavaScriptEncode": return Encoder.JavaScriptEncode(text);
case "AntiXss.CssEncode": return Encoder.CssEncode(text);
case "AntiXss.HtmlAttributeEncode": return Encoder.HtmlAttributeEncode(text);
case "AntiXss.HtmlFormUrlEncode": return Encoder.HtmlFormUrlEncode(text);
case "AntiXss.XmlAttributeEncode": return Encoder.XmlAttributeEncode(text);
case "AntiXss.XmlEncode": return Encoder.XmlEncode(text);
case "AntiXss.VisualBasicScriptEncode": return Encoder.VisualBasicScriptEncode(text);
case "AntiXss.LdapDistinguishedNameEncode": return Encoder.LdapDistinguishedNameEncode(text);
case "AntiXss.LdapFilterEncode": return Encoder.LdapFilterEncode(text);
case "Sanitizer.GetSafeHtml": return Sanitizer.GetSafeHtml(text);
case "Sanitizer.GetSafeHtmlFragment": return Sanitizer.GetSafeHtmlFragment(text);
default:
return text + " not supported: {0}".format(type);
}
}
return text;
};
This uses the latest version of the AntiXSS library, including the new HtmlSanitizationLibrary.dll which has the GetSafeHtml* methods and looks really powerful.
Here is the entire code of this script:
var topPanel = O2Gui.open<Panel>("Util - Web Encoder (with AntiXss Support)",1000,400);
//var topPanel = panel.clear().add_Panel();
var configPanel = topPanel.insert_Above(40,"Config");
var sourceText = topPanel.add_GroupBox("Source Text").add_SourceCodeViewer();
var transformedText = topPanel.insert_Right("Transformed Text").add_SourceCodeViewer();
var transformationsAvailable = new List<string> { "none",
"HtmlDecode", "HtmlEncode","UrlDecode", "UrlEncode",
"AntiXss.HtmlEncode", "AntiXss.UrlEncode", "AntiXss.JavaScriptEncode", "AntiXss.CssEncode",
"AntiXss.HtmlAttributeEncode", "AntiXss.HtmlFormUrlEncode", "AntiXss.XmlAttributeEncode", "AntiXss.XmlEncode",
"AntiXss.VisualBasicScriptEncode","AntiXss.LdapDistinguishedNameEncode", "AntiXss.LdapFilterEncode",
"Sanitizer.GetSafeHtml", "Sanitizer.GetSafeHtmlFragment"};
var transformMode_1 = "";
var transformMode_2 = "";
var transformMode_3 = "";
Func<string,string, string> applyTransformation =
(type, text)=>{
if (type.valid() && text.valid() )
{
switch(type)
{
case "none": break;
case "HtmlDecode": return text.htmlDecode();
case "HtmlEncode": return text.htmlEncode();
case "UrlDecode": return text.urlDecode();
case "UrlEncode": return text.urlEncode();
case "AntiXss.HtmlEncode": return Encoder.HtmlEncode(text);
case "AntiXss.UrlEncode": return Encoder.UrlEncode(text);
case "AntiXss.JavaScriptEncode": return Encoder.JavaScriptEncode(text);
case "AntiXss.CssEncode": return Encoder.CssEncode(text);
case "AntiXss.HtmlAttributeEncode": return Encoder.HtmlAttributeEncode(text);
case "AntiXss.HtmlFormUrlEncode": return Encoder.HtmlFormUrlEncode(text);
case "AntiXss.XmlAttributeEncode": return Encoder.XmlAttributeEncode(text);
case "AntiXss.XmlEncode": return Encoder.XmlEncode(text);
case "AntiXss.VisualBasicScriptEncode": return Encoder.VisualBasicScriptEncode(text);
case "AntiXss.LdapDistinguishedNameEncode": return Encoder.LdapDistinguishedNameEncode(text);
case "AntiXss.LdapFilterEncode": return Encoder.LdapFilterEncode(text);
case "Sanitizer.GetSafeHtml": return Sanitizer.GetSafeHtml(text);
case "Sanitizer.GetSafeHtmlFragment": return Sanitizer.GetSafeHtmlFragment(text);
default:
return text + " not supported: {0}".format(type);
}
}
return text;
};
Action applyTransformations =
()=>{
var originalText = sourceText.get_Text();
var result = applyTransformation(transformMode_1,originalText);
result = applyTransformation(transformMode_2, result);
result = applyTransformation(transformMode_3, result);
transformedText.set_Text(result);
};
sourceText.onTextChange(
(text)=>{
applyTransformations();
});
configPanel.add_Label("Color Code the text as").top(3)
.append_Control<ComboBox>().dropDownList().top(0)
.add_Items(".xml",".html",",cs")
.onSelection((value)=> {
transformedText.editor().setDocumentHighlightingStrategy(value.str());
sourceText.editor().setDocumentHighlightingStrategy(value.str());
})
.selectFirst()
.append_Label("Transform using:").top(3).autoSize()
.append_Control<ComboBox>().dropDownList().top(0).width(170).comboBoxHeight(250)
.add_Items(transformationsAvailable)
.onSelection<string>((value)=> { transformMode_1 = value; applyTransformations(); } )
.selectFirst()
.append_Label("and:").top(3).autoSize()
.append_Control<ComboBox>().dropDownList().top(0).width(170).comboBoxHeight(250)
.add_Items(transformationsAvailable)
.onSelection<string>((value)=> { transformMode_2 = value; applyTransformations(); } )
.append_Label("and:").top(3).autoSize()
.append_Control<ComboBox>().dropDownList().top(0).width(170).comboBoxHeight(250)
.add_Items(transformationsAvailable)
.onSelection<string>((value)=> { transformMode_3 = value; applyTransformations(); } )
;
sourceText.set_Text("this is a <b> test </b>");
return "done";
//using Microsoft.Security.Application
//O2Ref:AntiXSSLibrary.dll
//O2Ref:HtmlSanitizationLibrary.dll
About
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)
Download
Windows ClickOnce Installer:
Mailing List
The best place to keep updated with the lastest news and developers it to subscribe to the OWASP O2 Platform Mailing list (you can read its archives here)
