RV again...

Last time we saw how to fix a cross site scripting (XSS) vulnerability. This time we look at how we can detect cross site scripting vulnerabilities using automated tools. Being the most common vulnerability found in web applications, it is very important to detect and mitigate XSS vulnerabilities early in development cycle. Arming developers with the right tools to develop application security is a big problem in every enterprise. Here at Microsoft, we have developed a static  analysis tool specifically aimed at developers to detect cross site scripting. It was released a while ago as Microsoft XSSDetect

XSSDetect is stripped down version of the Code Analysis Tool for .NET used by the ACE team to help find security vulnerabilities in software applications. It has been made available for free on Microsoft downloads. XSSDetect comes as a Visual Studio Add-in that can identify non-persistent XSS vulnerabilities in ASP.NET web-applications. XSSDetect is a type of static analysis tool, which uses Microsoft CCI libraries for analysis. CCI libraries are the same libraries used by FxCop. XSSDetect is a bit more than a FxCop plugin, as XSSDetect uses interprocedural analysis to detect XSS vulnerabilities. It uses the notion of Sources (input entry point) and Sinks (output method) to detect data paths which could lead to a XSS vulnerability.

The following are some examples of Sources and Sinks.

Sources Sinks
System.Web.HttpRequest.get_QueryString System.Web.HttpResponse.Write
System.Web.HttpRequest.get_Form System.IO.TextWriter.Write
System.Web.HttpRequest.get_Params System.Web.UI.WebControls.Label.set_Text
System.Web.HttpRequest.get_Cookies System.Web.UI.WebControls.HyperLink.set_Text
System.Web.UI.WebControls.TextBox.Text System.Web.UI.WebControls.LinkButton.set_Text

XSSDetect builds a huge data graph of the binary and identifies the data paths containing these sources and sinks. If any of these data paths use a encoding library such as AntiXss library it will be excluded from the results. You can find more information on the Sources, Sinks and Encoding rules in the %PROGRAMFILES%\Microsoft\XSSDetect\Config. Lets look at some vulnerable code that will be detected by XSSDetect.

   1: //Code in .aspx page
   2: <%=Request.QueryString["message"];%>
   3:  
   4: //Writing hidden field value back on to the page
   5: Response.Write(hidHiddenInput.Value);
   6:  
   7: //Setting the link button text
   8: LinkButton1.Text = String.Format(txtInput.Text, "LinkButton1.Text");
   9:  
  10: //HTML table object 
  11: Table1.Caption = String.Format(txtInput.Text, "Table1.Caption");
  12: Table1.Rows[0].Cells[0].Text = 
  13:     String.Format(txtInput.Text, "Table1.Rows[0].Cells[0].Text");
  14:  
  15: //Literal object text
  16: Literal1.Text = String.Format(txtInput.Text, "Literal.Text");
  17:  
  18: //Checkbox and Label text assignments
  19: CheckBox1.Text = String.Format(txtInput.Text, "CheckBox1.Text");
  20: Label1.Text = String.Format(txtInput.Text, "Label1.Text")
  21:  
  22: //Indirect XSS
  23: string strInput;
  24: protected void Page_Load(object sender, EventArgs e)
  25: {
  26:     strInput = Request.QueryString["message"];
  27:     this.SetMessage(strInput);
  28: }
  29:  
  30: private void SetMessage(string input) 
  31: {
  32:     Label1.Text = input;
  33: }

XSSDetect can detect many more variants of XSS vulnerabilities possible in ASP.NET Code. XSSDetect is currently available for Visual Studio 2005, we are working on a release to make it compatible with Visual Studio 2008. After installation go to Tools -> XSS Detect. It should open up a window as shown below.

XSSdetectScreenShot

Click the green "Play"/"Run" button (first button in the toolbar) to start the analysis. Please make sure that the solution is loaded and has all the needed references because XSSDetect will compile the source code to analyze the binary. Click on the Help Icon to open up the help file to find more information on the other features of XSSDetect. You can download XSS detect from MSDN downloads at http://www.microsoft.com/Downloads/details.aspx?FamilyID=19a9e348-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=en. You can also see a FAQ for the tool at http://blogs.msdn.com/ace_team/archive/2007/12/11/xssdetect-faq.aspx.

Keep checking our blog for more exciting posts on Cross Site Scripting vulnerabilities and mitigation's.