JavaScript hijacking research and how ASP.NET Ajax framework prevent such xss exploits

Posted on

I am highly recommend to read JavaScript hijacking research paper written by http://www.fortifysoftware.com regarding JavaScript hijacking.
Also Scott Guthrie (General Manager within the Microsoft Developer Division)  in his latest blog post describe how ATLAS framework preventing such hacks.

Quick summary of his post:

  •  ASP.NET Ajax webservices by default restrict calling them using HttpGet. But you can turn off this check by using attribute [ScriptMethod(UseHttpGet=true)] 
  • ASP.NET ajax framework using content-type validation.
    Content-Type: application/json; charset=utf-8 

One more time I’d like to mention that each ASP.NET developer should start using Microsoft Anti-Cross Site Scripting Library V1.5 to avoid common xss security holes in their web applications.