A bunch of (ASP.NET) security tools got released over the weekend – highly recommended!
CAT.NET V1 CTP
“CAT.NET is a snap-in to the Visual Studio IDE that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application — module-by-module — and then analyzing all of the methods contained within each. It finally displays the issues its finds in a list that you can use to jump directly to the places in your application’s source code where those issues were found. The following rules are currently support by this version of the tool. – Cross Site Scripting – SQL Injection – Process Command Injection – File Canonicalization – Exception Information – LDAP Injection – XPATH Injection – Redirection to User Controlled Site.”
AntiXSS 3.0 Beta
“The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include: – An expanded white list that supports more languages – Performance improvements – Performance data sheets (in the online help) – Support for Shift_JIS encoding for mobile browsers – A sample application – Security Runtime Engine (SRE) HTTP module.”
“AntiCSRF makes it easier for ASP.NET developers to guard themselves against Cross Site Request Forgery. You’ll no longer have to manually add and check protection tokens to protected yourself against CSRF attacks.”