Welcome to MSDN Blogs Sign in | Join | Help

News

  • This blog is provided "AS IS" with no warranties, and confers no rights. Opinions are not necessarily of Microsoft. You can contact the Application Consulting & Engineering Team (ACE Team) by leaving comments, clicking on Contact or Emailing us.

XSSDetect Public Beta now Available!

One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug.  It's very common and unfortunately, still an issue we have to deal with in many web applications.  Internally, the ACE Team has been working on several projects to help mitigate and fix these issues, as well as detect them in the code bases that we review so that they can be fixed before going live.

XSSDetect runs as a Visual Studio plug-in and can detect potential XSS issues in managed code. 

Here's a screenshot:

XSSDetect

While the functionality may seem straight forward, many years of research and hard work have gone into making XSSDetect a reality.  XSSDetect is a stripped down version of our enterprise ready Code Analysis Tool for .NET code bases (CAT.NET for short).  CAT.NET adds such features as VSTF integration, centralized reporting using web services, customized rulesets and filters, integration with FXCop and MSBUILD as well as the ability to run from the command line to integrate with your build processes (or if you're just old school and rock it like that ;)   

XSSDetect is currently in beta so we welcome your feedback!  This current version of the beta will expire after 60 days.  To send us your feedback, we encourage you to leave comments below or contact us via the 'Email' link above. 

Click here to DOWNLOAD now!

 

Posted: Monday, October 22, 2007 4:38 PM by ACE Team
Filed under: ,

Comments

JohnW said:

Can this be integrated into FXCop?

# October 22, 2007 9:44 PM

Microsoft Application Threat Modeling Blog said:

I've talked about threat modeling being one part of the overall information security puzzle... there

# October 23, 2007 1:25 AM

Be Geek My Friend said:

Las técnicas de XSS (Cross Site Scripting) son de las mas frecuentes junto con otras viejas amigas. Microsoft

# October 23, 2007 1:38 AM

Noticias externas said:

I've talked about threat modeling being one part of the overall information security puzzle... there

# October 23, 2007 1:40 AM

Praveen said:

Good News anyway.

# October 23, 2007 3:48 AM

biac の それさえもおそらくは幸せな日々@nifty said:

MS ダウンロードセンターより。 XSS Detect Beta Code Analysis Tool Version: 1.0Date Published:

# October 23, 2007 3:58 AM

Ravikanth said:

I think this tool require prior installation of Visual Studio 2005. Do you have any plans to give this tool as seperate exe where one can run on any set of .aspx files. I think if you remove dependency more people tend to use the tools and also you can expect good feedback.

# October 23, 2007 4:32 AM

Grumpy Security Guy said:

# October 23, 2007 12:14 PM

Brian Strelioff said:

Is "CAT .NET" different from FxCop, and if so is it currently available for evaluation or use?

# October 23, 2007 12:34 PM

Michael Teper said:

Will this work with VS 2008?

# October 23, 2007 2:03 PM

Reading a Hacker's Mind said:

XSSDetect is available for download now. It's tool which helps identify Cross Site Scripting Vulnerabilities

# October 23, 2007 2:07 PM

André Henriksson said:

En beta-version av ett nytt verktyg är släppt för att upptäcka om man eventuellt har några säkerhetshål

# October 23, 2007 3:20 PM

Noticias externas said:

En beta-version av ett nytt verktyg är släppt för att upptäcka om man eventuellt har några säkerhetshål

# October 23, 2007 4:02 PM

Gerard van der Land said:

On a 2 GB machine I got an OutOfMemoryException on several large solutions where I tried this tool. The tool also doesn't seem to detect XSS issues when <%= variable %> is used in an .aspx file. Can you give some info on exactly what methods of input and output the tool checks, it's capabilities and limitations?

# October 23, 2007 6:38 PM

Andreas said:

Great news, I was looking for something like that for a long time..

# October 24, 2007 2:34 AM

%41%43%45%20%54%65%61%6d said:

Hi, my name is Hassan Khan. I work for the ACE Engineering Team, which is a part of the ACE (Application

# October 24, 2007 2:51 AM

Steven said:

It would be great if this could be run from the command line line fxcop, then we could run XSS detection before deployment, just as a final check to ensure we've not overlooked anything.

# October 24, 2007 4:11 AM

Peter Gu said:

Some questions:

1. How about obfuscated assembly or IL module?

2.Can XSSDetect analysis the release build binary?

3.If I strip the debug information, can XSSDetct still get the possible insecure path?

Thanks

# October 24, 2007 5:29 AM

Robert Hurlbut said:

Thanks for the hard work on this tool! I get an "License missing or expired" error when I try to run the tool in VS 2005 Team System. Any clues?

# October 24, 2007 10:07 AM

Peter Gu said:

Some questions:

1. How about obfuscated assembly or IL module?

2.Can XSSDetect analysis the release build binary?

3.If I strip the debug information, can XSSDetct still get the possible insecure path?

Thanks

# October 24, 2007 1:15 PM

ACE Team said:

Hi Folks,

Please keep the questions coming!  We're working on a FAQ blog post to answer all of the questions that are posted here.

Thanks,

ACE Team

# October 24, 2007 1:28 PM

richard_deeming said:

After installing the tool and clicking the button to start the analysis, it displays the error message "Licence missing or invalid", and does nothing else.

My Windows Vista Ultimate licence is valid. My Visual Studio 2005 Pro licence is valid. My system clock is correct, so it can't have expired already.

How can I obtain a licence to use this "free" tool???

# October 24, 2007 2:29 PM

richard_deeming said:

The only output from this tool is the error message, "License missing or expired". What license? Windows is licensed. Visual Studio 2005 Pro is licensed. What else do I have do buy to use this tool?

# October 24, 2007 2:33 PM

.net DEvHammer said:

This is definitely one tool you should be trying if you're writing web apps with Visual Studio. Cross-site

# October 24, 2007 3:17 PM

ACE Team said:

Hi Richard,

The "License missing or expired" message is indicating that you are running VS without admin rights.  Unfortunately, although XSSDetect doesn't require admin rights, the current version of VS API's apparently do.  Please try re-running VS with admin privliges and try again.  We'll cover in more detail in the FAQ post that's coming soon.

Thanks,

ACE Team

# October 24, 2007 3:20 PM

Robert Hurlbut said:

I wasn't sure what the problem was with the License missing, so I uninstalled the product and tried it on another OS (Win 2003 x86) and it worked fine. I then went back to try to re-install it on my Vista Business x64 and now I get an unexpected error 2869 -- problem with the package every time. What could be causing the problem with not being able to re-install the tool?

# October 24, 2007 4:35 PM

Peter Gu said:

Sorry.. I can't see the answer where is?

# October 24, 2007 10:52 PM

blowdart said:

Strange stuff; I wanted to run it over the Subtext code base; but I get out of memory errors very very quickly, despite the estimate in the Output Window of only needing 96Mb.

So what's the best way to generate some debugging feedback for you guys?

# October 25, 2007 5:09 AM

Blake Niemyjski said:

The &quot;Ace&quot; team inside of Microsoft has kindly released a plug-in for Visual Studio called XSSDetect

# October 25, 2007 11:28 AM

Wampiryczny blog said:

Jeśli ktoś tworzy aplikacje internetowe w technologii ASP.NET, powinien zapoznać się z narzędziem XSSDetect.

# October 25, 2007 4:59 PM

Andy said:

A command line interface would be valuable to allow us to include it in our build process.

# October 26, 2007 10:44 AM

jaxley said:

So, I emailed using the blog email form but haven't heard back.  All XSSDetect seems good at doing for me is crashing VS 2005 sp1 every time I click analyze and no matter which assemblies (.net 2.0 or 1.1) I try to analyze.  I get a TargetInvocation Exception.

I'm not using team system, just the regular VS 2005 from MSDN.  And I even reinstalled VS 2005 from scratch without any change.

# October 26, 2007 12:53 PM

j.monty said:

Can XSSDetect be automated with ant/nant or with Team System?

This is important from a SDL/SALSA perspective...

# October 26, 2007 2:21 PM

CoqBlog said:

XSSDetect est un addin pour Visual Studio destiné à aider l'utilisateur à éliminer les problèmes d' XSS

# October 28, 2007 8:25 AM

Aaron Stebner's WebLog said:

I ran across a few interesting posts on the Application Consulting and Engineering (ACE) team's blog

# October 28, 2007 9:57 PM

The What, Why and How of Software Security said:

About a month back, ACE Engineering released " XSSDetect ", a stripped down version of the "Code Analysis

# December 6, 2007 2:13 AM

Noticias externas said:

About a month back, ACE Engineering released &quot; XSSDetect &quot;, a stripped down version of the

# December 6, 2007 2:41 AM

The Security Development Lifecycle said:

Hi everyone, Bryan Sullivan here. Unless you’ve been living in an ice cave on the polar cap for the last

# February 28, 2008 5:34 PM

The Security Development Lifecycle said:

Hi everyone, Bryan here. I’m speaking at BlueHat today and tomorrow about some of my experiences as a

# May 1, 2008 11:48 AM
New Comments to this post are disabled
Page view tracker