`
touchmm
  • 浏览: 1043347 次
  • 性别: Icon_minigender_1
  • 来自: 北京
文章分类
社区版块
存档分类
最新评论
阅读更多

AntiXSS 4.0

Microsoft Anti-Cross Site Scripting Library V4.0

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651

AntiXSS 4.0 helps you to protect your applications from cross-site scripting attacks

The Microsoft Anti-Cross Site Scripting Library V4.0 (AntiXSS V4.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include:- A customizable safe list for HTML and XML encoding- Performance improvements- Support for Medium Trust ASP.NET applications- HTML Named Entity Support- Invalid Unicode detection- Improved Surrogate Character Support for HTML and XML encoding- LDAP Encoding Improvements- application/x-www-form-urlencoded encoding support

Microsoft Web Protection Library (WPL)

http://wpl.codeplex.com/

The Microsoft Web Protection Library (WPL) is a set of .NET assemblies which will help you protect your web sites, current, future and past. The WPL includes

AntiXSS

AntiXSS provides a myriad of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript.

White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.

Secure Globalization: The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.

Security Runtime Engine

The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard for

Cross Site Scripting

SQL Injection

As with all web security the WPL is part of a defense in depth strategy, adding an extra layer to any validation or secure coding practices you have already adopted.

A Solid Foundation for Developers

No matter your development experience level, the documentation, example code, unit tests, and calling schemes make it easy for you to know how to protect your applications from XSS attacks. Additionally, a performance data sheet helps you plan your secure deployment with full knowledge of how AntiXSS will likely perform in your environment.

Microsoft Web Application Configuration Analyzer v1.0

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=60585590-57df-4fc1-8f0c-05a286059406

Web Application Configuration Analyzer (WACA) analyzes server configuration for security best practices related to General Windows, IIS , ASP.NET and SQL Server settings.

Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production servers. It can also be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers). The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications. The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available at: http://msdn.microsoft.com/en-us/library/ms994921.aspx.

Here are some features of the tool:

Scan a server using more than 140 rules

Generate HTML based reports

Compare multiple scan results

Export results to Excel

Export results to Team Foundation Server

SDL Regex Fuzzer

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519C-52D3-4291-9034-CAA71855451F

SDL Regex Fuzzer is a tool to help test regular expressions for potential denial of service vulnerabilities

Regular expression patterns containing certain clauses that execute in exponential time (for example, grouping clauses containing repetition that are themselves repeated) can be exploited by attackers to cause a denial-of-service (DoS) condition. SDL Regex Fuzzer is a tool to help test regular expressions for these potential vulnerabilities.

CAT .NET

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en

http://blogs.msdn.com/b/securitytools/archive/2010/02/04/cat-net-2-0-beta.aspx

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.

CAT.NET is a snap-in to the Visual Studio IDE that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each. It finally displays the issues its finds in a list that you can use to jump directly to the places in your application's source code where those issues were found. The following rules are currently support by this version of the tool.- Cross Site Scripting- SQL Injection- Process Command Injection- File Canonicalization- Exception Information- LDAP Injection- XPATH Injection- Redirection to User Controlled Site

SDL Threat Modeling Tool

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=A48CCCB1-814B-47B6-9D17-1E273F65AE19

http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx

The Microsoft SDL Threat Modeling Tool allows for early and structured analysis and proactive mitigation and tracking of potential security issues

The SDL Threat Modeling Tool helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle.

The SDL Threat Modeling Tool version 3.1.6 Beta supports Visio 2010. Additional improvements in this version include UI improvements and bug fixes from the previous 3.1 release. Threat models creates by version 3.1. are compatible with version 3.1.6, but backwards compatibility (version 3.1.6 to version 3.1.) is not supported

MiniFuzz File Fuzzer

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=B2307CA4-638F-4641-9946-DC0A5ABE8513

MiniFuzz is a very simple fuzzer designed to ease adoption of fuzz testing by non-security people who are unfamiliar with file fuzzing tools or have never used them in their current software development processes.

MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors.

分享到:
评论

相关推荐

    微软官方.NET修复工具Microsoft .NET Framework Repair Tool

    Microsoft .NET Framework Repair Tool是微软官方推出的一款专门用于解决.NET Framework安装或运行时遇到问题的工具。这款工具旨在帮助用户诊断并修复与.NET Framework相关的错误,确保应用程序能够顺利执行。 .NET...

    dotnetfx_cleanup_tool(.net卸载工具)

    6. **风险与挑战**:尽管该工具旨在安全地卸载.NET Framework,但任何对系统核心组件的操作都有可能引发问题。因此,建议在执行清理之前创建系统还原点,以便在出现问题时可以恢复。 7. **后续操作**:成功卸载.NET...

    .net framework清除工具 dotnetfx_cleanup_tool(.net卸载)

    .NET Framework清理工具的工作原理主要是通过扫描系统中的注册表项和文件系统,识别出已安装的.NET Framework组件,然后提供一个安全的卸载过程。使用该工具可以避免因手动操作不当导致的系统不稳定或残留文件问题。...

    很强大.net逆向工具

    在实际应用中,这样的工具对于软件开发者、安全专家以及.NET生态系统的爱好者来说都是宝贵的资源。开发者可以借此提升代码阅读能力,更好地理解和改进第三方库;安全专家则能利用它来审计代码安全性,找出潜在的安全...

    C#.net常用工具类,全部源码

    在.NET中,强命名的类库可以跨版本安全地使用,并且可以在全局程序集缓存(GAC)中存储。 "C#.net常用工具类"可能是包含一系列静态类的dll文件,这些类封装了各种实用功能。例如,可能会有一个名为`TextProcessor`...

    asp.net 开发工具库(全)

    ASP.NET是微软公司推出的用于构建Web应用程序的框架,它基于.NET Framework或.NET Core,为开发者提供了丰富的工具和功能,使得创建动态网站、Web API和Web应用程序变得更加高效和便捷。本资源"asp.net 开发工具库...

    卸载Microsoft .NET Framework工具

    这个工具能帮助识别并卸载.NET Framework的所有组件,包括未列出的隐藏组件。下载并运行该工具,按照提示进行操作即可。 **三、注意事项** 1. **备份**:在卸载之前,确保有系统恢复点或者备份,以防万一出现问题...

    .net framework清除工具

    确保从可靠来源获取此工具,以防止潜在的安全风险。 2. 运行清理工具。双击"cleanup_tool.exe",按照界面提示进行操作。该工具将扫描系统中已安装的.NET Framework版本,并提供卸载选项。 3. 选择要清理的.NET ...

    asp.net反编译工具

    4. **安全分析**:安全专家使用反编译工具检查可能存在的安全漏洞和恶意代码。 除了Reflector之外,还有其他一些著名的ASP.NET反编译工具,例如: - **ILSpy**:这是一个开源的反编译器,提供类似Reflector的功能...

    .NET安全编程

    ".NET安全编程"的CHM文件很可能是关于以上这些主题的详细指南,涵盖了如何在.NET环境中实施安全策略,避免常见安全漏洞,以及如何利用.NET框架提供的工具和类库来增强应用程序的安全性。通过学习和应用这些知识,...

    一款实用的.net清除工具

    8. **更新与维护**:尽管清理工具可以解决.NET Framework的冗余问题,但为了保持系统的安全性和性能,定期更新到最新版本的.NET Framework仍然是必要的。 9. **替代方案**:除了专用清理工具,Windows自带的“程序...

    .net framework 卸载工具

    总的来说,.NET Framework卸载工具是处理.NET Framework卸载问题的有效手段,它简化了操作流程,提高了卸载的效率和安全性。在遇到.NET Framework相关问题时,不妨尝试使用此工具,以实现更顺畅的系统维护。

    .net 加壳及反编译工具

    加壳和反编译工具在此背景下显得尤为重要,它们是.NET开发者应对代码安全的重要手段。 标题中的".NET 加壳及反编译工具"指的是用于保护.NET程序不被轻易反编译的技术和工具。加壳技术主要通过在原始程序之外添加一...

    ASP.NET安全性高级编程(PDG)

    在"ASP.NET安全性高级编程(PDG)"中,我们将深入探讨如何确保ASP.NET应用的安全。 首先,身份验证是安全的基础。ASP.NET提供了多种身份验证机制,如Windows身份验证、Forms身份验证和基于令牌的身份验证(如OAuth和...

    C#转换成vb.net工具

    C#是一种面向对象的、类型安全的语言,以其简洁和强大的功能而闻名,而VB.NET则以其直观和易读的语法吸引着很多开发者,尤其是对于那些有Visual Basic背景的人来说。 转换过程涉及的关键知识点包括: 1. 类型系统...

    C#与VB.NET代码互转工具

    标题中的"C#与VB.NET代码互转工具"指的是一个能够帮助程序员在C#和VB.NET两种编程语言之间进行代码转换的应用程序。这个工具的核心功能是将VB.NET编写的代码自动转化为等效的C#代码,反之亦然。这对于那些需要在不同...

    .net 全能数据库工具 sql sqlite 等

    标题中的".net 全能数据库工具 sql sqlite 等"指的是一个基于.NET框架开发的数据库管理软件,它支持多种数据库类型,包括SQL Server和SQLite。这样的工具通常为开发者和DBA提供了一站式的解决方案,用于数据库的创建...

    NET Framework Cleanup Tool (删除 .NET 清理工具) 6.0.3790

    在描述中提到,此工具是由微软的员工开发的,这意味着它具有官方背景,可靠性较高,可以安全地用于清理系统中的.NET Framework组件。它支持所有语言的.NET,意味着无论你之前安装的是哪个语言版本的.NET Framework,...

Global site tag (gtag.js) - Google Analytics