XSSDETECT: Analyzing Large Applications

XSSDetect is a static binary analysis tool. In the first step of analysis it reads target binaries to create a directed graph where nodes represent statements while the edges represent flow of data. This graph can get huge for large applications and users can sometimes run into the “out of memory exception.” Read this blog…


Update: Some details on how XSSDetect does dataflow analysis

Just a brief update, Hassan Khan one of the lead developers of XSSDetect and part of our ACE Engineering team has posted up some technical details on how XSSDetect uses data flow analysis to do its magic.  You can read more about it here.  Feel free to leave additional questions and I’m sure he’ll follow up…


XSSDetect Public Beta now Available!

One of the biggest, constant problems we’ve seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug.  It’s very common and unfortunately, still an issue we have to deal with in many web applications.  Internally, the ACE Team has been…


ASP.NET ValidateRequest does not mitigate XSS completely

From Eugene Siu’s blog: http://blogs.msdn.com/esiu/archive/2007/10/19/asp-net-validaterequest-does-not-mitigate-xss-completely.aspx As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions.  Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject dangerous inputs, and HttpRequestValidationException is thrown before the input is even…


Is Microsoft Office Isolated Conversion Environment(MOICE) mocha on ice?

From Eugene Siu’s blog: http://blogs.msdn.com/esiu/archive/2007/10/19/is-microsoft-office-isolated-conversion-environment-moice-mocha-on-ice.aspx MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security.  Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious documents. Office team strives to enhance their security,…


Given enough eyeballs all bugs are shallow: True or False?

From Eugene Siu’s blog: http://blogs.msdn.com/esiu/archive/2007/10/11/given-enough-eyeballs-all-bugs-are-shallow-true-or-false.aspx “Given enough eyeballs all bugs are shallow.”  I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs.  This premise is built on the assumption that all reviewers have the best intentions in mind.  However, do all people have…


System.URI.AbsolutePath Vs Phishing Attack

From Eugene Siu’s blog: http://blogs.msdn.com/esiu/archive/2007/10/10/system-uri-absolutepath-vs-phishing-attack.aspx Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests to malicious websites.  A common phishing technique is to fake emails sent by well-known banks or merchants,, which contain malicious hyperlinks.  Successful phishing attacks allow attackers to steal online user identities, install malwares on…


Web Service Security Guidance

From Eugene Siu’s blog (http://blogs.msdn.com/esiu/archive/2007/10/10/web-service-security-guidance.aspx): I have just published a Technet article.  This is geared for administrators and developers as an introduction to web service security.  It contains lots of references that allow you to deepend your knowledge of web service security. Please visit http://www.microsoft.com/technet/community/columns/sectip/st1007.mspx. Your feedback is welcome.


Mark Curphey joins Microsoft’s ACE Team

Mark joined ACE as of Oct. 1st and we’re very glad to have him aboard!  The following is a note from Mark:  As is the tradition around these parts I wanted to introduce myself as the newest member of the ACE Team. My name is Mark Curphey and I’ll be heading up ACE Services in Europe and…


More eyeballs for .Net Framework code

From Eugene Siu’s blog Microsoft will open up source code of .Net Framework to the public.  It allows outsiders to review what is under the hood, and enables easier debugging of development projects around .Net Framework.  .Net Framework code has been reviewed heavily, and developers can pick up coding best practices by reviewing source code…