I ran across a few interesting posts on the Application Consulting and Engineering (ACE) team's blog that I wanted to link to here so that more folks will hopefully see them. The ACE team announced a public beta this past week for a tool created by their team named XSSDetect. This tool is a Visual Studio plug-in that does static code analysis to detect potential cross-site scripting (XSS) issues in web applications.
Here are some useful links about the XSSDetect tool and cross-site scripting:
- Blog post announcing the XSSDetect beta - http://blogs.msdn.com/ace_team/archive/2007/10/22/xssdetect-public-beta-now-available.aspx
- XSSDetect beta download location - http://www.microsoft.com/downloads/details.aspx?FamilyID=19a9e348-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=en
- Details about how XSSDetect does dataflow analysis - http://blogs.msdn.com/hackers/archive/2007/10/23/some-technical-details-on-how-xssdetect-does-dataflow-analysis.aspx
- Using XSSDetect to analyze large applications - http://blogs.msdn.com/ace_team/archive/2007/10/24/xssdetect-analyzing-large-applications.aspx
- MSDN topic about the anti-cross site scripting library - http://msdn2.microsoft.com/en-us/security/aa973814.aspx
If you are building or testing web applications, I encourage you to check out the XSSDetect tool and the information in the above links to see if it might be useful in your development and testing processes.