XSSDetect FAQ

 Hi! This is Hassan Khan. As promissed, here the FAQs on XSSDetect:  Q. What is XSSDetect?A. XSSDetect is stripped down version of the Code Analysis Tool for .NET used by the ACE team to help find security vulnerabilities in software applications. It has been made available for free on Microsoft downloads. XSSDetect comes as a Visual…

2

XSSDETECT: Analyzing Large Applications

XSSDetect is a static binary analysis tool. In the first step of analysis it reads target binaries to create a directed graph where nodes represent statements while the edges represent flow of data. This graph can get huge for large applications and users can sometimes run into the “out of memory exception.” Read this blog…

4

Update: Some details on how XSSDetect does dataflow analysis

Just a brief update, Hassan Khan one of the lead developers of XSSDetect and part of our ACE Engineering team has posted up some technical details on how XSSDetect uses data flow analysis to do its magic.  You can read more about it here.  Feel free to leave additional questions and I’m sure he’ll follow up…

2

XSSDetect Public Beta now Available!

One of the biggest, constant problems we’ve seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug.  It’s very common and unfortunately, still an issue we have to deal with in many web applications.  Internally, the ACE Team has been…

39

What would you like the ACE team to discuss on Channel 9?

The ACE Team is going to be doing a Channel 9 video with Robert Scoble!  (Thanks Robert! 🙂  We’ll get a chance to discuss what we do and how we do it.  We’ll also be spending time talking about our threat modeling process and tool (more info as always on our threat modeling blog).  But…

0

Crypto Key Generation & Management

Ever wondered how strong your crypto keys are and whether they are secure against the ever growing threat of being compromised? The threat continues to grow daily in a world where hackers are mounting more sophisticated and complex attacks against a constantly increasing attack surface. The attacks vectors are exponentially amplified when considering the addition…

2

What’s the difference between IOSEC and the Microsoft Anti-Cross Site Scripting Library?

Some users who have been using IOSEC, our internal library for defending against cross-site scripting (XSS) attacks, may be wondering what’s the difference between that library and the Microsoft Anti-Cross Site Scripting Library V1.0 at http://www.microsoft.com/downloads/details.aspx?FamilyID=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en.   The IOSEC library currently implements encoding protection against XSS attacks conducted through vectors such as HTML, URLs, JavaScript, HtmlAttributes…

9

ACE Team Tools and Libraries Part I – IOSEC

Update [3/16/06, 4:56PM] There has been some confusion between what IOSEC does and what the Microsoft Anti-Cross Site Scripting Library does (linked to below).  The Anti-XSS library currently has a subset of the functionality of IOSEC.  Over the coming weeks and months, we will be porting over additional IOSEC functions into future releases of the…

10

Threat Analysis & Modeling Launch

Over the past several years, the ACE Team has developed and matured a threat modeling methodology for the implementation of software.  We’ve recently started a separate blog for threat modeling & I’d like to invite you to check it out and keep watching it for more details as we get ready to launch version 2.0…

3