Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!

Mark Curphey here.....

I am delighted to say that we have released two new free tools.

CAT.NET - Community Technology Preview

CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research. The ACE Team do thousands of code reviews for the internal line of business applications and for our external customers and have provided a wealth of real world knowledge and experience to the tool over the years. We will be posting several deep dive blogs this week on the inner workings of call graph and flow graph analysis and the algorithms behind CAT.NET from MSR. It is a technology preview; we appreciate that there are some performance and functionality limitations that we will be working on over time but we are already deep in discussion about the future design of CAT.NET and it's looking potentially very compelling!

You can download the current CTP builds from MSDN (32 bit here and 64 bit here) submit bugs and feedback to our Connect site (see post later this week for details).

Anti-XSS 3.0 - Beta

Cross Site Scripting (XSS) continues to plague web sites and among others things has become known as a common attack vector for Phishing attacks to distribute payloads to unsuspecting users.

With this release we have taken a fresh look at how to provide protection to ASP.NET applications. As well as significantly better coverage for internationalisation in the core library and significantly improved performance, we are now are now shipping with the Security Runtime Engine (SRE), a .NET CLR plug-in that overrides default encoding's to render sites safe from XSS with zero code changes. While the SRE can not be used in every circumstance and cannot prevent every type of XSS, we believe it will provide great coverage in a wide variety of situations and forms another important layer in a defence in depth strategy. In testing on our own applications in Microsoft IT we have typically seen the ability to fix between 50% and 90% of XSS issues in an application out of the box with no code changes needed.  We are experimenting with preventing other attacks beyond XSS and expect to extend coverage in future releases.

With this release we are also shipping with a performance test harness so you can test your own applications in pre-production and a copy of our own performance results conducted by the ACE Team as well as a sample application that you can use to demonstrate the attack and how to fix it to your development teams. Another significant change is that Anti-XSS 3.0 is now being released as an open source tool using the MS-PL license at Codeplex.

You can download the current beta binaries from MSDN here and source code from CodePlex here. For Anti-XSS you can submit bugs and feedback directly to our CodePlex site here.

Look for detailed posts about both Anti-XSS and CAT.NET on this blog this week and updates about these and related technologies on this blog.

Subscribe via RSS here.

Happy Holidays!



Comments (19)
  1. Anonymous says:

    Continuing our work to share the tools and techniques we use internally to maintain a secure application

  2. Anonymous says:

    It seems that the download links no longer work


  3. cisg says:

    Being fixed now Aaron. ETA a few hours. Sorry.

  4. daveblack says:

    Does this new release of CAT.NET preclude the use of the ACE Team’s XSSDetect?

  5. Anonymous says:

    Links are still broken.  Please update the page once the download links are fixed.


  6. cisg says:

    We estimate 5pm PST.

  7. Anonymous says:

    Any chance you have some documentation for the config.xml file in CAT.Net. The help file doesn’t have examples of the structure of the config.xml



  8. Anonymous says:

    Hi Andreas Fuchsberger here … To coincide with the CTP release of CAT.NET and Anti-XSS , within

  9. daveblack says:

    I am getting an ‘OutOfMemoryException’ from CAT.NET when executing against a Solution with 72 projects.

  10. Anonymous says:

    The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed

  11. Anonymous says:

    We have released Anti-XSS 3.0 library with SRE (Security Run-Time Engine) on CodePlex and CAT.NET a free

  12. Anonymous says:

    Where is the connect site?

    Multiprocessor/Multithreading this application is necessary in addition to addressing the memory issues.  My system pegs at 50% utilization while CAT.NET is running because it isn’t taking advantage of the second core.

  13. Anonymous says:

    Eh.  I just ran it against a website project that wasn’t html-encoding view data; analysis gave me no warnings.  I think it maybe isn’t analyzing aspx files, just the bin directory contents.  

    My analysis of CAT.NET:  Fail.

  14. Anonymous says:

    About a year back, ACE Engineering released the “XSSDetect” static code analysis tool. This was a stripped

  15. Anonymous says:

    Came across Connected Information Security Group’s Blog. There are 2 new tools to help diagnose code

  16. axleyjc says:

    I see another request above for documentation on config.xml.  Any chance that might be made available?  

  17. axleyjc says:

    FYI, here’s what apparently the format should be.  Not as flexible as fxcop xml:

    <CATNetConfig version="1">










  18. Anonymous says:

    Our mission in Information Security is to enable secure &amp; reliable business . In going about our

Comments are closed.

Skip to main content