Share via


Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!

Mark Curphey here.....

I am delighted to say that we have released two new free tools.

CAT.NET - Community Technology Preview

CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research. The ACE Team do thousands of code reviews for the internal line of business applications and for our external customers and have provided a wealth of real world knowledge and experience to the tool over the years. We will be posting several deep dive blogs this week on the inner workings of call graph and flow graph analysis and the algorithms behind CAT.NET from MSR. It is a technology preview; we appreciate that there are some performance and functionality limitations that we will be working on over time but we are already deep in discussion about the future design of CAT.NET and it's looking potentially very compelling!

You can download the current CTP builds from MSDN (32 bit here and 64 bit here) submit bugs and feedback to our Connect site (see post later this week for details).

Anti-XSS 3.0 - Beta

Cross Site Scripting (XSS) continues to plague web sites and among others things has become known as a common attack vector for Phishing attacks to distribute payloads to unsuspecting users.

With this release we have taken a fresh look at how to provide protection to ASP.NET applications. As well as significantly better coverage for internationalisation in the core library and significantly improved performance, we are now are now shipping with the Security Runtime Engine (SRE), a .NET CLR plug-in that overrides default encoding's to render sites safe from XSS with zero code changes. While the SRE can not be used in every circumstance and cannot prevent every type of XSS, we believe it will provide great coverage in a wide variety of situations and forms another important layer in a defence in depth strategy. In testing on our own applications in Microsoft IT we have typically seen the ability to fix between 50% and 90% of XSS issues in an application out of the box with no code changes needed.  We are experimenting with preventing other attacks beyond XSS and expect to extend coverage in future releases.

With this release we are also shipping with a performance test harness so you can test your own applications in pre-production and a copy of our own performance results conducted by the ACE Team as well as a sample application that you can use to demonstrate the attack and how to fix it to your development teams. Another significant change is that Anti-XSS 3.0 is now being released as an open source tool using the MS-PL license at Codeplex.

You can download the current beta binaries from MSDN here and source code from CodePlex here. For Anti-XSS you can submit bugs and feedback directly to our CodePlex site here.

Look for detailed posts about both Anti-XSS and CAT.NET on this blog this week and updates about these and related technologies on this blog.

Subscribe via RSS here.

Happy Holidays!

 

Mark

Comments

  • Anonymous
    December 14, 2008
    PingBack from http://securitybuddha.com/2008/12/15/catnet-and-anti-xss-30-released-for-free/
  • Anonymous
    December 15, 2008
    Continuing our work to share the tools and techniques we use internally to maintain a secure application
  • Anonymous
    December 15, 2008
    It seems that the download links no longer workArnon
  • Anonymous
    December 16, 2008
    Being fixed now Aaron. ETA a few hours. Sorry.
  • Anonymous
    December 16, 2008
    Does this new release of CAT.NET preclude the use of the ACE Team's XSSDetect?
  • Anonymous
    December 16, 2008
    Links are still broken.  Please update the page once the download links are fixed.Thanks
  • Anonymous
    December 16, 2008
    We estimate 5pm PST.
  • Anonymous
    December 17, 2008
    Any chance you have some documentation for the config.xml file in CAT.Net. The help file doesn't have examples of the structure of the config.xmlThanksRich
  • Anonymous
    December 21, 2008
    Hi Andreas Fuchsberger here … To coincide with the CTP release of CAT.NET and Anti-XSS , within
  • Anonymous
    December 23, 2008
    I am getting an 'OutOfMemoryException' from CAT.NET when executing against a Solution with 72 projects.
  • Anonymous
    December 30, 2008
    The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed
  • Anonymous
    January 03, 2009
    We have released Anti-XSS 3.0 library with SRE (Security Run-Time Engine) on CodePlex and CAT.NET a free
  • Anonymous
    January 23, 2009
    Where is the connect site?Multiprocessor/Multithreading this application is necessary in addition to addressing the memory issues.  My system pegs at 50% utilization while CAT.NET is running because it isn't taking advantage of the second core.
  • Anonymous
    February 11, 2009
    Eh.  I just ran it against a website project that wasn't html-encoding view data; analysis gave me no warnings.  I think it maybe isn't analyzing aspx files, just the bin directory contents.  My analysis of CAT.NET:  Fail.
  • Anonymous
    February 14, 2009
    The comment has been removed
  • Anonymous
    February 18, 2009
    Came across Connected Information Security Group's Blog. There are 2 new tools to help diagnose code
  • Anonymous
    March 05, 2009
    I see another request above for documentation on config.xml.  Any chance that might be made available?  
  • Anonymous
    March 05, 2009
    FYI, here's what apparently the format should be.  Not as flexible as fxcop xml:<CATNetConfig version="1">   <ConfigRoot></ConfigRoot>   <DataFlowGraphFile></DataFlowGraphFile>   <Profile></Profile>   <ReportFile></ReportFile>   <ReportXslFile></ReportXslFile>   <ReportXslOutputFile></ReportXslOutputFile>   <RulesDirectory></RulesDirectory>   <RulesXmlFile></RulesXmlFile></CATNetConfig>
  • Anonymous
    March 17, 2009
    Our mission in Information Security is to enable secure &amp; reliable business . In going about our