XSSDetect: Cross Site Scripting detection plug-in for Visual Studio 2005

The "Ace" team inside of Microsoft has kindly released a plug-in for Visual Studio called XSSDetect. XSSDetect is a "static code analysis plug-in that will identify Cross-Site Scripting security flaws in any managed Web Application" (Microsoft).

"XSSDetect analyzes .NET Intermediate Language (IL) read directly from the compiled binaries. It takes apart all assemblies, modules, classes and methods down to each instruction. It then identifies statements where untrusted user data enters the application and where dangerous methods are called. These form the two sets of statements (sources and sinks) between which XSSDetect then finds dataflow paths. This is the same algorithm that is employed when an application is code reviewed manually by an experienced security analyst" ( Some technical details on how XSSDetect does Dataflow Analysis ).

 

Source ( XSSDetect Public Beta now Available!

Download ( XSS Detect Beta Code Analysis Tool
 


Posted Oct 25 2007, 10:18 AM by Blake Niemyjski |
Filed under: ,
windowscoding.com;
Copyright © 2008 Windows Coding
Microsoft and Microsoft logo's are trademarks of Microsoft Corporation.