One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE Team has been working on several projects to help mitigate and fix these issues, as well as detect them in the code bases that we review so that they can be fixed before going live.
XSSDetect runs as a Visual Studio plug-in and can detect potential XSS issues in managed code.
Here's a screenshot:
While the functionality may seem straight forward, many years of research and hard work have gone into making XSSDetect a reality. XSSDetect is a stripped down version of our enterprise ready Code Analysis Tool for .NET code bases (CAT.NET for short). CAT.NET adds such features as VSTF integration, centralized reporting using web services, customized rulesets and filters, integration with FXCop and MSBUILD as well as the ability to run from the command line to integrate with your build processes (or if you're just old school and rock it like that ;)
XSSDetect is currently in beta so we welcome your feedback! This current version of the beta will expire after 60 days. To send us your feedback, we encourage you to leave comments below or contact us via the 'Email' link above.
Click here to DOWNLOAD now!
Hi, my name is Hassan Khan. I work for the ACE Engineering Team, which is a part of the ACE (Application
It would be great if this could be run from the command line line fxcop, then we could run XSS detection before deployment, just as a final check to ensure we've not overlooked anything.
1. How about obfuscated assembly or IL module?
2.Can XSSDetect analysis the release build binary?
3.If I strip the debug information, can XSSDetct still get the possible insecure path?
Thanks for the hard work on this tool! I get an "License missing or expired" error when I try to run the tool in VS 2005 Team System. Any clues?
Please keep the questions coming! We're working on a FAQ blog post to answer all of the questions that are posted here.
After installing the tool and clicking the button to start the analysis, it displays the error message "Licence missing or invalid", and does nothing else.
My Windows Vista Ultimate licence is valid. My Visual Studio 2005 Pro licence is valid. My system clock is correct, so it can't have expired already.
How can I obtain a licence to use this "free" tool???
The only output from this tool is the error message, "License missing or expired". What license? Windows is licensed. Visual Studio 2005 Pro is licensed. What else do I have do buy to use this tool?
This is definitely one tool you should be trying if you're writing web apps with Visual Studio. Cross-site
The "License missing or expired" message is indicating that you are running VS without admin rights. Unfortunately, although XSSDetect doesn't require admin rights, the current version of VS API's apparently do. Please try re-running VS with admin privliges and try again. We'll cover in more detail in the FAQ post that's coming soon.
I wasn't sure what the problem was with the License missing, so I uninstalled the product and tried it on another OS (Win 2003 x86) and it worked fine. I then went back to try to re-install it on my Vista Business x64 and now I get an unexpected error 2869 -- problem with the package every time. What could be causing the problem with not being able to re-install the tool?
Sorry.. I can't see the answer where is?
Strange stuff; I wanted to run it over the Subtext code base; but I get out of memory errors very very quickly, despite the estimate in the Output Window of only needing 96Mb.
So what's the best way to generate some debugging feedback for you guys?
The "Ace" team inside of Microsoft has kindly released a plug-in for Visual Studio called XSSDetect
Jeśli ktoś tworzy aplikacje internetowe w technologii ASP.NET, powinien zapoznać się z narzędziem XSSDetect.