XSSDetect Public Beta now Available!

re: XSSDetect Public Beta now Available!

JohnW — Tue, 23 Oct 2007 04:44:38 GMT

Can this be integrated into FXCop?

XSSDetect BETA now available!

Microsoft Application Threat Modeling Blog — Tue, 23 Oct 2007 08:25:36 GMT

I've talked about threat modeling being one part of the overall information security puzzle... there

¿Es tu código fiable ante ataques de XSS?

Be Geek My Friend — Tue, 23 Oct 2007 08:38:01 GMT

Las técnicas de XSS (Cross Site Scripting) son de las mas frecuentes junto con otras viejas amigas. Microsoft

XSSDetect BETA now available!

Noticias externas — Tue, 23 Oct 2007 08:40:17 GMT

I've talked about threat modeling being one part of the overall information security puzzle... there

re: XSSDetect Public Beta now Available!

Praveen — Tue, 23 Oct 2007 10:48:30 GMT

Good News anyway.

[ASP.NET] XSS Detect (beta)

biac のそれさえもおそらくは幸せな日々@nifty — Tue, 23 Oct 2007 10:58:53 GMT

MS ダウンロードセンターより。 XSS Detect Beta Code Analysis Tool Version: 1.0Date Published:

re: XSSDetect Public Beta now Available!

Ravikanth — Tue, 23 Oct 2007 11:32:20 GMT

I think this tool require prior installation of Visual Studio 2005. Do you have any plans to give this tool as seperate exe where one can run on any set of .aspx files. I think if you remove dependency more people tend to use the tools and also you can expect good feedback.

Fight Cross Site Scripting in your .NET Apps

Grumpy Security Guy — Tue, 23 Oct 2007 19:14:29 GMT

re: XSSDetect Public Beta now Available!

Brian Strelioff — Tue, 23 Oct 2007 19:34:58 GMT

Is "CAT .NET" different from FxCop, and if so is it currently available for evaluation or use?

re: XSSDetect Public Beta now Available!

Michael Teper — Tue, 23 Oct 2007 21:03:52 GMT

Will this work with VS 2008?

XSSDetect Public Beta now Available!

Reading a Hacker's Mind — Tue, 23 Oct 2007 21:07:26 GMT

XSSDetect is available for download now. It's tool which helps identify Cross Site Scripting Vulnerabilities

XSSDetect - Finn eventuella säkerhetshål

André Henriksson — Tue, 23 Oct 2007 22:20:03 GMT

En beta-version av ett nytt verktyg är släppt för att upptäcka om man eventuellt har några säkerhetshål

XSSDetect - Finn eventuella säkerhetshål

Noticias externas — Tue, 23 Oct 2007 23:02:43 GMT

En beta-version av ett nytt verktyg är släppt för att upptäcka om man eventuellt har några säkerhetshål

re: XSSDetect Public Beta now Available!

Gerard van der Land — Wed, 24 Oct 2007 01:38:13 GMT

On a 2 GB machine I got an OutOfMemoryException on several large solutions where I tried this tool. The tool also doesn't seem to detect XSS issues when <%= variable %> is used in an .aspx file. Can you give some info on exactly what methods of input and output the tool checks, it's capabilities and limitations?

re: XSSDetect Public Beta now Available!

Andreas — Wed, 24 Oct 2007 09:34:12 GMT

Great news, I was looking for something like that for a long time..

Some technical details on how XSSDetect does Dataflow Analysis

%41%43%45%20%54%65%61%6d — Wed, 24 Oct 2007 09:51:21 GMT

Hi, my name is Hassan Khan. I work for the ACE Engineering Team, which is a part of the ACE (Application

re: XSSDetect Public Beta now Available!

Steven — Wed, 24 Oct 2007 11:11:24 GMT

It would be great if this could be run from the command line line fxcop, then we could run XSS detection before deployment, just as a final check to ensure we've not overlooked anything.

re: XSSDetect Public Beta now Available!

Peter Gu — Wed, 24 Oct 2007 12:29:24 GMT

Some questions:

1. How about obfuscated assembly or IL module?

2.Can XSSDetect analysis the release build binary?

3.If I strip the debug information, can XSSDetct still get the possible insecure path?

Thanks

re: XSSDetect Public Beta now Available!

Robert Hurlbut — Wed, 24 Oct 2007 17:07:06 GMT

Thanks for the hard work on this tool! I get an "License missing or expired" error when I try to run the tool in VS 2005 Team System. Any clues?

re: XSSDetect Public Beta now Available!

Peter Gu — Wed, 24 Oct 2007 20:15:24 GMT

Some questions:

1. How about obfuscated assembly or IL module?

2.Can XSSDetect analysis the release build binary?

3.If I strip the debug information, can XSSDetct still get the possible insecure path?

Thanks

re: XSSDetect Public Beta now Available!

ACE Team — Wed, 24 Oct 2007 20:28:54 GMT

Hi Folks,

Please keep the questions coming! We're working on a FAQ blog post to answer all of the questions that are posted here.

Thanks,

ACE Team

re: XSSDetect Public Beta now Available!

richard_deeming — Wed, 24 Oct 2007 21:29:34 GMT

After installing the tool and clicking the button to start the analysis, it displays the error message "Licence missing or invalid", and does nothing else.

My Windows Vista Ultimate licence is valid. My Visual Studio 2005 Pro licence is valid. My system clock is correct, so it can't have expired already.

How can I obtain a licence to use this "free" tool???

re: XSSDetect Public Beta now Available!

richard_deeming — Wed, 24 Oct 2007 21:33:32 GMT

The only output from this tool is the error message, "License missing or expired". What license? Windows is licensed. Visual Studio 2005 Pro is licensed. What else do I have do buy to use this tool?

Download the XSSDetect Public Beta

.net DEvHammer — Wed, 24 Oct 2007 22:17:00 GMT

This is definitely one tool you should be trying if you're writing web apps with Visual Studio. Cross-site

re: XSSDetect Public Beta now Available!

ACE Team — Wed, 24 Oct 2007 22:20:05 GMT

Hi Richard,

The "License missing or expired" message is indicating that you are running VS without admin rights. Unfortunately, although XSSDetect doesn't require admin rights, the current version of VS API's apparently do. Please try re-running VS with admin privliges and try again. We'll cover in more detail in the FAQ post that's coming soon.

Thanks,

ACE Team

re: XSSDetect Public Beta now Available!

Robert Hurlbut — Wed, 24 Oct 2007 23:35:24 GMT

I wasn't sure what the problem was with the License missing, so I uninstalled the product and tried it on another OS (Win 2003 x86) and it worked fine. I then went back to try to re-install it on my Vista Business x64 and now I get an unexpected error 2869 -- problem with the package every time. What could be causing the problem with not being able to re-install the tool?

re: XSSDetect Public Beta now Available!

Peter Gu — Thu, 25 Oct 2007 05:52:58 GMT

Sorry.. I can't see the answer where is?

re: XSSDetect Public Beta now Available!

blowdart — Thu, 25 Oct 2007 12:09:56 GMT

Strange stuff; I wanted to run it over the Subtext code base; but I get out of memory errors very very quickly, despite the estimate in the Output Window of only needing 96Mb.

So what's the best way to generate some debugging feedback for you guys?

XSSDetect: Cross Site Scripting detection plug-in for Visual Studio 2005

Blake Niemyjski — Thu, 25 Oct 2007 18:28:19 GMT

The "Ace" team inside of Microsoft has kindly released a plug-in for Visual Studio called XSSDetect

XSSDetect

Wampiryczny blog — Thu, 25 Oct 2007 23:59:27 GMT

Jeśli ktoś tworzy aplikacje internetowe w technologii ASP.NET, powinien zapoznać się z narzędziem XSSDetect.

Command line

Andy — Fri, 26 Oct 2007 17:44:05 GMT

A command line interface would be valuable to allow us to include it in our build process.

re: XSSDetect Public Beta now Available!

jaxley — Fri, 26 Oct 2007 19:53:19 GMT

So, I emailed using the blog email form but haven't heard back. All XSSDetect seems good at doing for me is crashing VS 2005 sp1 every time I click analyze and no matter which assemblies (.net 2.0 or 1.1) I try to analyze. I get a TargetInvocation Exception.

I'm not using team system, just the regular VS 2005 from MSDN. And I even reinstalled VS 2005 from scratch without any change.

re: XSSDetect Public Beta now Available!

j.monty — Fri, 26 Oct 2007 21:21:50 GMT

Can XSSDetect be automated with ant/nant or with Team System?

This is important from a SDL/SALSA perspective...

XSSDetect : première beta publique de l'outil d'analyse statique disponible

CoqBlog — Sun, 28 Oct 2007 15:25:59 GMT

XSSDetect est un addin pour Visual Studio destiné à aider l'utilisateur à éliminer les problèmes d' XSS

Link to public beta of XSSDetect cross-site scripting code analysis plug-in for Visual Studio 2005

Aaron Stebner's WebLog — Mon, 29 Oct 2007 04:57:22 GMT

I ran across a few interesting posts on the Application Consulting and Engineering (ACE) team's blog

XSSDetect: Tool for finding Cross Site Scripting bugs

The What, Why and How of Software Security — Thu, 06 Dec 2007 10:13:33 GMT

About a month back, ACE Engineering released " XSSDetect ", a stripped down version of the "Code Analysis

XSSDetect: Tool for finding Cross Site Scripting bugs

Noticias externas — Thu, 06 Dec 2007 10:41:29 GMT

About a month back, ACE Engineering released " XSSDetect ", a stripped down version of the

SDL and Web 2.0

The Security Development Lifecycle — Fri, 29 Feb 2008 01:34:26 GMT

Hi everyone, Bryan Sullivan here. Unless you’ve been living in an ice cave on the polar cap for the last

SDL and the OWASP Top Ten

The Security Development Lifecycle — Thu, 01 May 2008 18:48:24 GMT

Hi everyone, Bryan here. I’m speaking at BlueHat today and tomorrow about some of my experiences as a