Microsoft has just released a public beta of their XSSDetect tool. Very interesting stuff. The tool itself is a Visual Studio plugin that performs some code analysis to look for cross site scripting issues. This should be extremely useful given how prevalent XSS vulnerabilities are these days. Here at Denim Group we will be taking a look at this and probably rolling it into our standard build toolset as long as it doesn’t cause too much trouble.
Combining this with the built-in ASP.NET platform protections against XSS will hopefully help to stamp out run-of-the-mill XSS on the .NET platform. Nothing is going to be a 100% automatic solution, but when you compare where .NET is to out-of-the-box PHP or JEE, the .NET folks have done a much better job of addressing this issue.
What may be more interesting is that the XSSDetect tool is part of a larger toolset called the Code Analysis Tool for .NET. Is Microsoft going to be bundling FXCop, XSSDetect with some other capabilities in order to build up a competitor for the likes of current commercial tools like Fortify’s Source Code Analyzer?
dan _at_ denimgroup.com