Disclaimer The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.
The ACE Team (Application Consulting and Engineering) has released a beta version of their tool to scan managed code and detect potential vulnerabilities to cross-site scripting. XSSDetect runs as a visual studio plug-in.
From their blog:
One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE Team has been working on several projects to help mitigate and fix these issues, as well as detect them in the code bases that we review so that they can be fixed before going live.
They also have a follow-up post which discusses using XSSDetect to scan large applications. For very large applications, you may run into an "out of memory" error. Besides bigger and badder hardware, the suggestion is to analyze binaries in smaller chunks.
Remember Me