The ACE Team (Application
Consulting and Engineering) has released a beta
version of their tool to scan managed code and detect potential vulnerabilities
to cross-site scripting. XSSDetect runs as a visual studio
plug-in.
From their blog:
One of the biggest, constant problems we’ve seen our enterprise
customers deal with and we here at Microsoft have to also contend with is that
of the XSS (Cross Site Scripting) bug. It’s very common and
unfortunately, still an issue we have to deal with in many web
applications. Internally, the ACE Team has been working on several
projects to help mitigate and fix these issues, as well as detect them in the
code bases that we review so that they can be fixed before going
live.
They also have a follow-up post which discusses using
XSSDetect to scan large applications. For very large applications, you
may run into an “out of memory” error. Besides bigger and badder hardware,
the suggestion is to analyze binaries in smaller chunks.