Microsoft's Application Consulting & Engineering (ACE Team) has shipped XSSDetect, a free Visual Studio plug-in capable of flagging potential cross-site scripting issues in managed code.
The tool, currently available as a beta download, is styled as a stripped-down version of Microsoft's Code Analysis Tool for .NET code bases (CAT.NET).
XSSDetect does static code analysis to find possible cross-site scripting vulnerabilities within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such "sanitized" paths.
Hassan Khan, a member of Redmond's ACE team, explains:
XSSDetect analyzes .NET Intermediate Language (IL) read directly from the compiled binaries. It takes apart all assemblies, modules, classes and methods down to each instruction. It then identifies statements where untrusted user data enters the application and where dangerous methods are called. These form the two sets of statements (sources and sinks) between which XSSDetect then finds dataflow paths. This is the same algorithm that is employed when an application is code reviewed manually by an experienced security analyst.