XSSDetect FAQ

 Hi! This is Hassan Khan. As promissed, here the FAQs on XSSDetect:  Q. What is XSSDetect?A. XSSDetect is stripped down version of the Code Analysis Tool for .NET used by the ACE team to help find security vulnerabilities in software applications. It has been made available for free on Microsoft downloads. XSSDetect comes as a Visual…

2

Operation has timed out from class library in COM+

In a recent MS internal performance gig we encountered an interesting issue with the maxconnection setting in the Machine.Config. Essentially the application we were testing consisted of a web application using classic ASP, COM+ business objects and a .NET wrapper proxy that consumed web services on a separate web server using integrated authentication and SSL….

1

XSSDETECT: Analyzing Large Applications

XSSDetect is a static binary analysis tool. In the first step of analysis it reads target binaries to create a directed graph where nodes represent statements while the edges represent flow of data. This graph can get huge for large applications and users can sometimes run into the “out of memory exception.” Read this blog…

4

Update: Some details on how XSSDetect does dataflow analysis

Just a brief update, Hassan Khan one of the lead developers of XSSDetect and part of our ACE Engineering team has posted up some technical details on how XSSDetect uses data flow analysis to do its magic.  You can read more about it here.  Feel free to leave additional questions and I’m sure he’ll follow up…

2

XSSDetect Public Beta now Available!

One of the biggest, constant problems we’ve seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug.  It’s very common and unfortunately, still an issue we have to deal with in many web applications.  Internally, the ACE Team has been…

39

ASP.NET ValidateRequest does not mitigate XSS completely

From Eugene Siu’s blog: http://blogs.msdn.com/esiu/archive/2007/10/19/asp-net-validaterequest-does-not-mitigate-xss-completely.aspx As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions.  Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject dangerous inputs, and HttpRequestValidationException is thrown before the input is even…

3

Is Microsoft Office Isolated Conversion Environment(MOICE) mocha on ice?

From Eugene Siu’s blog: http://blogs.msdn.com/esiu/archive/2007/10/19/is-microsoft-office-isolated-conversion-environment-moice-mocha-on-ice.aspx MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security.  Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious documents. Office team strives to enhance their security,…

4

Given enough eyeballs all bugs are shallow: True or False?

From Eugene Siu’s blog: http://blogs.msdn.com/esiu/archive/2007/10/11/given-enough-eyeballs-all-bugs-are-shallow-true-or-false.aspx “Given enough eyeballs all bugs are shallow.”  I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs.  This premise is built on the assumption that all reviewers have the best intentions in mind.  However, do all people have…

3

System.URI.AbsolutePath Vs Phishing Attack

From Eugene Siu’s blog: http://blogs.msdn.com/esiu/archive/2007/10/10/system-uri-absolutepath-vs-phishing-attack.aspx Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests to malicious websites.  A common phishing technique is to fake emails sent by well-known banks or merchants,, which contain malicious hyperlinks.  Successful phishing attacks allow attackers to steal online user identities, install malwares on…

1

Web Service Security Guidance

From Eugene Siu’s blog (http://blogs.msdn.com/esiu/archive/2007/10/10/web-service-security-guidance.aspx): I have just published a Technet article.  This is geared for administrators and developers as an introduction to web service security.  It contains lots of references that allow you to deepend your knowledge of web service security. Please visit http://www.microsoft.com/technet/community/columns/sectip/st1007.mspx. Your feedback is welcome.

1