XSSDetect Public Beta now Available!


One of the biggest, constant problems we’ve seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug.  It’s very common and unfortunately, still an issue we have to deal with in many web applications.  Internally, the ACE Team has been working on several projects to help mitigate and fix these issues, as well as detect them in the code bases that we review so that they can be fixed before going live.


XSSDetect runs as a Visual Studio plug-in and can detect potential XSS issues in managed code. 


Here’s a screenshot:


XSSDetect


While the functionality may seem straight forward, many years of research and hard work have gone into making XSSDetect a reality.  XSSDetect is a stripped down version of our enterprise ready Code Analysis Tool for .NET code bases (CAT.NET for short).  CAT.NET adds such features as VSTF integration, centralized reporting using web services, customized rulesets and filters, integration with FXCop and MSBUILD as well as the ability to run from the command line to integrate with your build processes (or if you’re just old school and rock it like that 😉   


XSSDetect is currently in beta so we welcome your feedback!  This current version of the beta will expire after 60 days.  To send us your feedback, we encourage you to leave comments below or contact us via the ‘Email’ link above. 


Click here to DOWNLOAD now!


 

Comments (39)

  1. Anonymous says:

    Can this be integrated into FXCop?

  2. Anonymous says:

    I’ve talked about threat modeling being one part of the overall information security puzzle… there

  3. Anonymous says:

    Las técnicas de XSS (Cross Site Scripting) son de las mas frecuentes junto con otras viejas amigas. Microsoft

  4. Anonymous says:

    I've talked about threat modeling being one part of the overall information security puzzle… there

  5. Anonymous says:

    MS ダウンロードセンターより。 XSS Detect Beta Code Analysis Tool Version: 1.0Date Published:

  6. Anonymous says:

    I think this tool require prior installation of Visual Studio 2005. Do you have any plans to give this tool as seperate exe where one can run on any set of .aspx files. I think if you remove dependency more people tend to use the tools and also you can expect good feedback.

  7. Anonymous says:

    Is "CAT .NET" different from FxCop, and if so is it currently available for evaluation or use?

  8. Anonymous says:

    Will this work with VS 2008?

  9. Anonymous says:

    XSSDetect is available for download now. It’s tool which helps identify Cross Site Scripting Vulnerabilities

  10. Anonymous says:

    En beta-version av ett nytt verktyg är släppt för att upptäcka om man eventuellt har några säkerhetshål

  11. Anonymous says:

    En beta-version av ett nytt verktyg är släppt för att upptäcka om man eventuellt har några säkerhetshål

  12. Gerard van der Land says:

    On a 2 GB machine I got an OutOfMemoryException on several large solutions where I tried this tool. The tool also doesn’t seem to detect XSS issues when <%= variable %> is used in an .aspx file. Can you give some info on exactly what methods of input and output the tool checks, it’s capabilities and limitations?

  13. Anonymous says:

    Great news, I was looking for something like that for a long time..

  14. Anonymous says:

    Hi, my name is Hassan Khan. I work for the ACE Engineering Team, which is a part of the ACE (Application

  15. Anonymous says:

    It would be great if this could be run from the command line line fxcop, then we could run XSS detection before deployment, just as a final check to ensure we’ve not overlooked anything.

  16. Anonymous says:

    Some questions:

    1. How about obfuscated assembly or IL module?

    2.Can XSSDetect analysis the release build binary?

    3.If I strip the debug information, can XSSDetct still get the possible insecure path?

    Thanks

  17. Anonymous says:

    Thanks for the hard work on this tool! I get an "License missing or expired" error when I try to run the tool in VS 2005 Team System. Any clues?

  18. Anonymous says:

    Some questions:

    1. How about obfuscated assembly or IL module?

    2.Can XSSDetect analysis the release build binary?

    3.If I strip the debug information, can XSSDetct still get the possible insecure path?

    Thanks

  19. ACE Team says:

    Hi Folks,

    Please keep the questions coming!  We’re working on a FAQ blog post to answer all of the questions that are posted here.

    Thanks,

    ACE Team

  20. richard_deeming says:

    After installing the tool and clicking the button to start the analysis, it displays the error message "Licence missing or invalid", and does nothing else.

    My Windows Vista Ultimate licence is valid. My Visual Studio 2005 Pro licence is valid. My system clock is correct, so it can’t have expired already.

    How can I obtain a licence to use this "free" tool???

  21. richard_deeming says:

    The only output from this tool is the error message, "License missing or expired". What license? Windows is licensed. Visual Studio 2005 Pro is licensed. What else do I have do buy to use this tool?

  22. Anonymous says:

    This is definitely one tool you should be trying if you’re writing web apps with Visual Studio. Cross-site

  23. ACE Team says:

    Hi Richard,

    The "License missing or expired" message is indicating that you are running VS without admin rights.  Unfortunately, although XSSDetect doesn’t require admin rights, the current version of VS API’s apparently do.  Please try re-running VS with admin privliges and try again.  We’ll cover in more detail in the FAQ post that’s coming soon.

    Thanks,

    ACE Team

  24. Anonymous says:

    I wasn’t sure what the problem was with the License missing, so I uninstalled the product and tried it on another OS (Win 2003 x86) and it worked fine. I then went back to try to re-install it on my Vista Business x64 and now I get an unexpected error 2869 — problem with the package every time. What could be causing the problem with not being able to re-install the tool?

  25. Anonymous says:

    Sorry.. I can’t see the answer where is?

  26. Strange stuff; I wanted to run it over the Subtext code base; but I get out of memory errors very very quickly, despite the estimate in the Output Window of only needing 96Mb.

    So what’s the best way to generate some debugging feedback for you guys?

  27. Anonymous says:

    The &quot;Ace&quot; team inside of Microsoft has kindly released a plug-in for Visual Studio called XSSDetect

  28. Anonymous says:

    Jeśli ktoś tworzy aplikacje internetowe w technologii ASP.NET, powinien zapoznać się z narzędziem XSSDetect.

  29. Anonymous says:

    A command line interface would be valuable to allow us to include it in our build process.

  30. Anonymous says:

    So, I emailed using the blog email form but haven’t heard back.  All XSSDetect seems good at doing for me is crashing VS 2005 sp1 every time I click analyze and no matter which assemblies (.net 2.0 or 1.1) I try to analyze.  I get a TargetInvocation Exception.

    I’m not using team system, just the regular VS 2005 from MSDN.  And I even reinstalled VS 2005 from scratch without any change.

  31. j.monty says:

    Can XSSDetect be automated with ant/nant or with Team System?

    This is important from a SDL/SALSA perspective…

  32. Anonymous says:

    XSSDetect est un addin pour Visual Studio destiné à aider l’utilisateur à éliminer les problèmes d’ XSS

  33. Anonymous says:

    I ran across a few interesting posts on the Application Consulting and Engineering (ACE) team’s blog

  34. Anonymous says:

    About a month back, ACE Engineering released " XSSDetect ", a stripped down version of the "Code Analysis

  35. Anonymous says:

    About a month back, ACE Engineering released &quot; XSSDetect &quot;, a stripped down version of the

  36. Anonymous says:

    Hi everyone, Bryan Sullivan here. Unless you’ve been living in an ice cave on the polar cap for the last

  37. Anonymous says:

    Hi everyone, Bryan here. I’m speaking at BlueHat today and tomorrow about some of my experiences as a