14 DAY TRIAL // As bulletproofed as Internet Explorer 8 will be by default against XSS vulnerabilities, the fact of the matter is that the browser alone will not be able to guarantee the security of end users when it comes down to exploits and attacks using the most widespread type of security holes in web-based applications.
This is why Microsoft is offering the XSS Detect Beta Code Analysis Tool as a free download. The tool is nothing more than a Visual Studio plug-in designed to permit developers to sniff out XSS vulnerabilities in .NET code. The plug-in has been available for download since 2007, but Anil Kumar Venkata Revuru, senior software development engineer for Connected Information Security Group, highlighted the tool as an automatic way to detect cross site scripting security claws.
"Being the most common vulnerability found in web applications, it is very important to detect and mitigate XSS vulnerabilities early in development cycle. Arming developers with the right tools to develop application security is a big problem in every enterprise. Here at Microsoft, we have developed a static analysis tool specifically aimed at developers to detect cross site scripting," Revuru stated.
The sole shortcoming of the tool is that at this point in time it is available exclusively for Visual Studio 2005, and not for the 2008 version of Microsoft's development solution. However, Revuru promised that Microsoft was working to provide a new version of XSSDetect tailored to Visual Studio 2008, but did not indicate any deadline for a release.
"XSSDetect is stripped down version of the Code Analysis Tool for .NET used by the ACE team to help find security vulnerabilities in software applications. It has been made available for free on Microsoft downloads. XSSDetect comes as a Visual Studio Add-in that can identify non-persistent XSS vulnerabilities in ASP.NET web-applications. XSSDetect is a type of static analysis tool, which uses Microsoft CCI libraries for analysis. CCI libraries are the same libraries used by FxCop. XSSDetect is a bit more than a FxCop plugin, as XSSDetect uses interprocedural analysis to detect XSS vulnerabilities," Revuru added.
The XSS Detect Beta Code Analysis Tool is available for download here.