Microsoft ships free tool to swat cross-site scripting scripting bugs

Microsoft ships free tool to swat cross-site scripting scripting bugs

Summary: Microsoft's Application Consulting & Engineering (ACE Team) has shipped XSSDetect, a free Visual Studio plug-in capable of flagging potential cross-site scripting issues in managed code.The tool, currently available as a beta download, is styled as a stripped-down version of Microsoft's Code Analysis Tool for .

SHARE:

Microsoft's Application Consulting & Engineering (ACE Team) has shipped XSSDetect, a free Visual Studio plug-in capable of flagging potential cross-site scripting issues in managed code.

The tool, currently available as a beta download, is styled as a stripped-down version of Microsoft's Code Analysis Tool for .NET code bases (CAT.NET).

Microsoft ships free tool to swat cross-site scripting scripting bugs

XSSDetect does static code analysis to find possible cross-site scripting vulnerabilities within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such "sanitized" paths.

Hassan Khan, a member of Redmond's ACE team, explains:

XSSDetect analyzes .NET Intermediate Language (IL) read directly from the compiled binaries. It takes apart all assemblies, modules, classes and methods down to each instruction. It then identifies statements where untrusted user data enters the application and where dangerous methods are called. These form the two sets of statements (sources and sinks) between which XSSDetect then finds dataflow paths. This is the same algorithm that is employed when an application is code reviewed manually by an experienced security analyst.

Topics: Microsoft, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • THIS IS SOME SORT OF A SCRIPT INTERPRETER

    So---a dll is somehow written or constructed then rendered and you want to see its function(s) from a particular perspective.This Dynamic Link Library can contain the script or assembly commands to maximize a page and is contained in one file.With this script interpreter I can see all of the mouse or keystroke steps necessary to bring this about.So I type in assembly commands or I record mouse moves.For my maximize dll I recorded the drag increase in size for my page.I can have the the script play--play back real fast too.If I ever need to maximize a page I just use this dll.
    BALTHOR
  • MODULE EDITING

    It is possible to see the program from the module assembly level with a module editor.This editor would show the various function sections as module boxes connected with IO lines.I could connect many dll modules to make an even more complex dll.Some modules are for bmp's some are for audio and I construct a mp3 player.If you think of file zipping you see 20mb compressed into 2 mb.Quite a lot of stuff can be put into a program with file compression.In the end I see even multiplexing a video on to a one bit glueball.
    BALTHOR
  • Is this a scripting scripting bug? (nt)

    (nt)
    jimbo2
  • Ryan....

    ...how does this help non-Visual Studio users to avoid Cross-Site-Scripting exploits?

    Again users should either turn off JavaScript in IE or use Firefox with NoScript. NoScript stops CSS exploits.

    Please clarify Thanks.
    D T Schmitz
    • I don't think it does, it's designed to help VS customers

      I don't think it does, it's designed to help VS customers.
      georgeou
    • If I read the article correctly...

      ... and IANAP, this tool is meant for developers, not end users.

      It is to prevent exactly the type of exploit from being included in coding that NoScript blocks.

      Then again, IANAP.
      Confused by religion
      • Thanks George

        nt
        D T Schmitz
        • I assume you meant Milly Staples.

          George Ou didn't comment in here.
          Grayson Peddie
      • There's something 'screwy' going on with this blog

        First I saw George Ou's name link to Milly's comment.
        Now when I click on Grayson Peddle's comment I get this message:


        "An unexpected failure has occurred.
        It has been logged and will be addressed by support.
        We apologize for any inconvenience this may cause."

        Anybody else having this problemas?

        (Thanks George, and Milley, just in case)
        D T Schmitz
        • Not a problem...

          ... my brother's name is George (not Ou). Close enough for horseshoes.
          Confused by religion
    • Apparently it doesn't..

      other than you might expect more secure Visual Studio produced web applications in the future.<br>
      the requirements for the tool are XP or Vista, VS 2005 and .NET 2.0. <br>
      xuniL_z
  • XSS Detect Code Analysis will be of interest to me.

    It's great to be able to take steps to minimize XSS in a website I plan to develop (but still developing my own home automation website for controlling lights and scenes).

    Thanks for letting me know about about the XSS Code Detect Analysis tool.
    Grayson Peddie
  • Firefox and the NOSCRIPT extension has protected me...

    Firefox and the NOSCRIPT extension has protected me from cross-site scripting for a year now.

    Microsoft. The largest software company in the world BY FAR! Customers paid it over a quarter trillion dollars since 2001. Yet, they are playing catch-up with open source. Again.

    :^0 :^0 :^0




    Perhaps new and sane leadership might help? Just a thought...
    http://www.youtube.com/watch?v=8zEQhhaJsU4
    TechExec2
    • Umm...

      ...this isn't the same as using NOSCRIPT in Firefox. This is a tool for developers to find and (presumably) eliminate the code that allows such flaws. If the code is fixed, there is no need for NOSCRIPT.

      In other words, this treats the underlying disease, not the symptoms.

      Carl Rapson
      rapson
      • You are such an M$ $hill!!

        Didn't you know that M$ forces Windows users to use Visual Studio.NET to surf the Internet? Therefore, this Visual Studio.NET plug in is exactly the same as Firefox's NoScript. Well, at least to people like TechExec2 who have perfect reading comprehension.

        Stop being such an M$ $hill. If anyone says anything negative about M$, it must be true, okay? ;)
        NonZealot
        • My fault

          I keep forgetting the rules of the game. :)

          Carl Rapson
          rapson
  • I'm investing in salt stock

    The grains of salt needed to go along with
    anything Microsoft ships is getting bigger
    and bigger.

    Sell Microsoft! Buy Salt! Good advice!
    Ole Man