I'm looking for an example of an XSS vulnerability that would be stopped just by using the AntiXSS Encoder 4.1 Beta as the runtime encoder (setting in system.web/httpRuntime). I would prefer something that doesn't require any explicit calls to AntiXss functions such as
@AntiXss.JavaScriptEncode(ViewBag.UserName)
I'm thinking something that would get by the ASP.NET blacklist but wouldn't make it through the AntiXSS whitelist, maybe something to do with alternate character sets or encoding?
I've tested UTF-7 vulnerabilities, but don't see any that seem to affect modern browsers.
There aren't any. Well, that's not entirely true, they aren't any that run on modern browsers.
The reason the SDL requires it is that using a safe list is inherently more secure - so if suddenly someone discovers a character that is problematic it may be already encoded (depending on the safe lists you configure).