Microsoft ships free tool to swat cross-site scripting scripting bugs

Summary:Microsoft's Application Consulting & Engineering (ACE Team) has shipped XSSDetect, a free Visual Studio plug-in capable of flagging potential cross-site scripting issues in managed code.The tool, currently available as a beta download, is styled as a stripped-down version of Microsoft's Code Analysis Tool for .

Microsoft's Application Consulting & Engineering (ACE Team) has shipped XSSDetect, a free Visual Studio plug-in capable of flagging potential cross-site scripting issues in managed code.

The tool, currently available as a beta download, is styled as a stripped-down version of Microsoft's Code Analysis Tool for .NET code bases (CAT.NET).

Microsoft ships free tool to swat cross-site scripting scripting bugs

XSSDetect does static code analysis to find possible cross-site scripting vulnerabilities within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such "sanitized" paths.

Hassan Khan, a member of Redmond's ACE team, explains:

XSSDetect analyzes .NET Intermediate Language (IL) read directly from the compiled binaries. It takes apart all assemblies, modules, classes and methods down to each instruction. It then identifies statements where untrusted user data enters the application and where dangerous methods are called. These form the two sets of statements (sources and sinks) between which XSSDetect then finds dataflow paths. This is the same algorithm that is employed when an application is code reviewed manually by an experienced security analyst.

Topics: Microsoft, Software Development

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.