Microsoft XSSDetect Tool

Microsoft has just released a public beta of their XSSDetect tool.  Very interesting stuff.  The tool itself is a Visual Studio plugin that performs some code analysis to look for cross site scripting issues.  This should be extremely useful given how prevalent XSS vulnerabilities are these days.  Here at Denim Group we will be taking a look at this and probably rolling it into our standard build toolset as long as it doesn’t cause too much trouble.

Combining this with the built-in ASP.NET platform protections against XSS will hopefully help to stamp out run-of-the-mill XSS on the .NET platform.  Nothing is going to be a 100% automatic solution, but when you compare where .NET is to out-of-the-box PHP or JEE, the .NET folks have done a much better job of addressing this issue.

What may be more interesting is that the XSSDetect tool is part of a larger toolset called the Code Analysis Tool for .NET.  Is Microsoft going to be bundling FXCop, XSSDetect with some other capabilities in order to build up a competitor for the likes of current commercial tools like Fortify’s Source Code Analyzer?

dan _at_

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *