ACE Team releases XSSDetect BETA

Yow-Hann Lee — Wed, 21 Nov 2007 07:43:12 GMT

XSSDetect can be downloaded at: http://www.microsoft.com/downloads/details.aspx?FamilyID=19a9e348-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=en

A couple of findings so far:

1. Do not try this when you're opening large solutions or are low on memory. If you do have a large solution with countless project files, you can remove the non-web projects from the targets list. However, this still does not resolve the issue and Visual Studio will consistently crash when XSSDetect attempts to analyze.
Amount of available memory: x
Amount of memory required: x

2. To test out the accuracy of their code analysis, I removed some untrusted input handling. For querystring input, you then come across tips to "Use the Anti-XSS library to properly encode the data before rendering it". No, this is not a complete plug that you MUST download and use Microsoft's Anti-Cross Site Scripting Library V1.5. In this particular case, you can re-add Server.HtmlEncode via HttpUtility to achieve the same effect and remove these types of high confidence level errors. Note that the implementations of AntiXSS is just a touch different.

This tool definitely shows potential; unfortunately, you only get 60 days to play around with it as it has a short expiration date.

Security

ACE Team releases XSSDetect BETA