XSSDetect FAQ

  • Article

Hi! This is Hassan Khan. As promissed, here the FAQs on XSSDetect: 

Q. What is XSSDetect?
A. XSSDetect is stripped down version of the Code Analysis Tool for .NET used by the ACE team to help find security vulnerabilities in software applications. It has been made available for free on Microsoft downloads. XSSDetect comes as a Visual Studio Add-in that can identify non-persistent XSS vulnerabilities in ASP.NET web-applications.

Q. What is CAT.NET?
A. (Code Analysis Tool for .NET) CAT.NET is the complete version of the dataflow analysis solution built by the ACE Team. Information on how to get CAT.NET will be posted later. It includes the following features:

1. Ability to detect more security vulnerabilities like persistent XSS, SQL Injection, Redirection to User Controlled Websites, Process Command Execution, LDPA/XPATH Injection etc.

2. Ability to create custom rules (to detect new vulnerabilities) and filters (to reduce false positives).

3. Includes a Command line version that does not require Visual Studio

4. Integration with FXCOP and MSBuild

5. Ability to create work Items for Visual Studio Team System and generate reports.

6. Ability to analyze large applications.

Q. Does XSSDetect require Visual Studio to be run in admin privileges?
A. Yes. Running XSSDetect Addin without Admin privileges may cause it to crash or display messages to regarding missing or expired license.

Q. Why does XSSDetect run of memory?
A. XSSDetect creates a huge dataflow graph in memory for all the targeted assemblies. In order to prevent XSSDetect from running out of memory, please remove some of the target assemblies from the target setting tabs. Please also see the blog entry title “XSSDetect: Analyzing large applications.”

Q. What is the scope of the XSSDetect analysis?
A. XSSDetect will analyze code that can be compiled into .NET assemblies irrespective of language. This includes web site projects and any server side code in .aspx files. For example, vulnerabilities like:
<%=Request.QueryString["name"] %>
in the aspx files will be caught.

Q. What versions of Visual Studio does XSSDetect work on?
A. XSSDetect has been tested to work on Visual Studio 2005. It does not , however, work on any the VS Express Edition. The current version avialable download does not work with Visual Studio 2008. If you would like to analyze applications in VS2008 running then open the XSSDetect.addin file in Documents and Settings\<username>\Application Data\Microsoft\MSEnvShared\Addins directory on XP or \users\<your alias>\AppData\Roaming\Microsoft\MSEnvShared\Addins on Vista, and insert the following line under HostApplication:
<Version>9.0</Version>

Q. Can XSSDetect analyze release builds without any debug info?
A. Yes, the analysis will not be affected by the availability of the debug info, however, the results will not include information on the location of the vulnerabilities.

Q. How can error 2869 be avoided when installing XSSDetect on Vista?
A. Please launch the installation process using the setup.exe instead of setup.msi on Vista.