Syed Aslam Basha here from the Information Security Tools team.
In the previous blog post I demonstrated “How to Run CAT.NET as a Custom MSBuild Task”, for more information you can refer to the blog post here. Here am going to demonstrate “How to use CAT.NET as a Visual studio Add-In to identify security flaws within managed code”.
Applications might have many security vulnerabilities like SQL injection, LDAP injection, XPath injection, Cross-Site Scripting (XSS), process command execution, file canonicalization, exception information and redirection to user controlled site. You can use CAT.NET tool to identify all of these security flaws.
What is Code Analysis Tool for .NET (CAT.NET)?
CAT.NET is a static code analysis tool, helps you to identify security flaws within a managed code (C#, Visual Basic .NET, J#) applications. It scans each assembly of the application, and then traces the data flow among application's source code statements, methods, and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each. It displays the issues it finds in a list that you can use to jump directly to the places in your application's source code where those issues were found. Lastly, you can export analysis data to excel.
You can run CAT.NET as;
- A Visual studio add-in
- From Command prompt
- As an FXCop rule
- Lastly, integrated into VSTF Team build as an MSBuild custom task. For more information on “Running CAT.NET as a Custom MSBuild Task refer to my blog post here)
The above code snippet has all the security flaws, you can use CAT.NET to identify them.
Steps to use CAT.NET:
- Launch the visual studio
- Create new website and copy paste the above code snippet
- Build the application
- Launch CAT.NET by clicking on CAT.NET code Analysis from Tools menu from visual studio
- Click on the Run button in the CAT.NET UI, it will analyze and show the issues as
- Click on the issues to navigate to source code where issues were found
- Finally click on generate excel report button in CAT.NET to generate excel report as shown below
- Publish the report and log bugs
You can refer to more articles on CAT.NET here
-Syed Aslam Basha (email@example.com)
Microsoft Information Security Tools (IST) Team
Please leave a comment if the blog post has helped you.