How to Run CAT.NET 2.0 CTP


RV here…

With the new build of CAT.NET available on connect.microsoft.com you must have noticed that the new version includes only a command line tool. We we will be releasing the Visual Studio rules as part of Beta1 release. So lets look at how we can use the command line version to analyze binaries and configuration files for insecure configuration.

After the installation click on Windows Start Menu and go to All Programs –> Microsoft Information Security –> Code Analysis for .NET (CAT.NET) v2.0 and select CAT.NET v2.0 Command Prompt. This will launch a command window and display all the command line options as shown below.

image

If you notice /file and /configdir are both required switches which are path to binary file and path to directory with .config files respectively. Optionally /report and /reportxsloutput are paths to report.xml and report.htm files which are outputs from cat.net analysis. Here is a sample command that runs the analysis on the sample application that is part of Anti-XSS distribution that identifies Cross Site Scripting vulnerabilities and some insecure configuration in web.config.

CATNetCmd.exe /file:"c:\AntiXss\Sample Application\bin\SampleApp.dll" /configdir:"C:\AntiXss\Sample Application" /report:"C:\AntiXss\SampleAppReport.xml" /reportxsloutput:"C:\AntiXss\Sample AppReport.htm"

In essence you should be using /file, /configdir, report and /reportxsloutput for your analysis. There are total 40 rules loaded by the engine which includes 33 config rules and 7 data flow rules. Generated report includes targets, time taken for analysis, summary of violations and violations details. Here is the report generated by the above sample command.

image

Configuration issues provide line  numbers and violation xml in the report. Similarly data flow analysis rules provide the entry point and additional data to identify where the error is occurring. These will be dramatically improved in Beta1 to provide more detailed information on where violation has occurred and specific data flow paths in case of data flow rules. Keep checking our blog site for more information on CAT.NET tool.

Comments (3)

  1. mdekleine says:

    The article doesn’t mention that you need the Microsoft .NET Framework 4 framework which is a separate download from Microsoft.

  2. interDist says:

    Is it possible to run CAT.NET on an ASP.NET/C# project? If so, which file should I provide to the /file switch?

  3. anilkr says:

    Yes, it is possible to run ASP.NET Project. Please use Web Deployment Project to compile your asp.net application. In the property pages make sure you uncheck "Allow this precompiled site to be updatable" this allows compiler to compile any code in .aspx files as well. Then use the resulting .dll using /file switch.

    Thanks

    Anil Revuru

    Information Security Tools