.NET安全工具

AntiXSS 4.0

Microsoft Anti-Cross Site Scripting Library V4.0

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651

AntiXSS 4.0 helps you to protect your applications from cross-site scripting attacks

The Microsoft Anti-Cross Site Scripting Library V4.0 (AntiXSS V4.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include:- A customizable safe list for HTML and XML encoding- Performance improvements- Support for Medium Trust ASP.NET applications- HTML Named Entity Support- Invalid Unicode detection- Improved Surrogate Character Support for HTML and XML encoding- LDAP Encoding Improvements- application/x-www-form-urlencoded encoding support

Microsoft Web Protection Library (WPL)

http://wpl.codeplex.com/

The Microsoft Web Protection Library (WPL) is a set of .NET assemblies which will help you protect your web sites, current, future and past. The WPL includes

AntiXSS

AntiXSS provides a myriad of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript.

White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.

Secure Globalization: The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.

Security Runtime Engine

The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard for

Cross Site Scripting

SQL Injection

As with all web security the WPL is part of a defense in depth strategy, adding an extra layer to any validation or secure coding practices you have already adopted.

A Solid Foundation for Developers

No matter your development experience level, the documentation, example code, unit tests, and calling schemes make it easy for you to know how to protect your applications from XSS attacks. Additionally, a performance data sheet helps you plan your secure deployment with full knowledge of how AntiXSS will likely perform in your environment.

Microsoft Web Application Configuration Analyzer v1.0

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=60585590-57df-4fc1-8f0c-05a286059406

Web Application Configuration Analyzer (WACA) analyzes server configuration for security best practices related to General Windows, IIS , ASP.NET and SQL Server settings.

Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production servers. It can also be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers). The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications. The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available at: http://msdn.microsoft.com/en-us/library/ms994921.aspx.

Here are some features of the tool:

Scan a server using more than 140 rules

Generate HTML based reports

Compare multiple scan results

Export results to Excel

Export results to Team Foundation Server

SDL Regex Fuzzer

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519C-52D3-4291-9034-CAA71855451F

SDL Regex Fuzzer is a tool to help test regular expressions for potential denial of service vulnerabilities

Regular expression patterns containing certain clauses that execute in exponential time (for example, grouping clauses containing repetition that are themselves repeated) can be exploited by attackers to cause a denial-of-service (DoS) condition. SDL Regex Fuzzer is a tool to help test regular expressions for these potential vulnerabilities.

CAT .NET

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en

http://blogs.msdn.com/b/securitytools/archive/2010/02/04/cat-net-2-0-beta.aspx

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.

CAT.NET is a snap-in to the Visual Studio IDE that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each. It finally displays the issues its finds in a list that you can use to jump directly to the places in your application's source code where those issues were found. The following rules are currently support by this version of the tool.- Cross Site Scripting- SQL Injection- Process Command Injection- File Canonicalization- Exception Information- LDAP Injection- XPATH Injection- Redirection to User Controlled Site

SDL Threat Modeling Tool

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=A48CCCB1-814B-47B6-9D17-1E273F65AE19

http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx

The Microsoft SDL Threat Modeling Tool allows for early and structured analysis and proactive mitigation and tracking of potential security issues

The SDL Threat Modeling Tool helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle.

The SDL Threat Modeling Tool version 3.1.6 Beta supports Visio 2010. Additional improvements in this version include UI improvements and bug fixes from the previous 3.1 release. Threat models creates by version 3.1. are compatible with version 3.1.6, but backwards compatibility (version 3.1.6 to version 3.1.) is not supported

MiniFuzz File Fuzzer

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=B2307CA4-638F-4641-9946-DC0A5ABE8513

MiniFuzz is a very simple fuzzer designed to ease adoption of fuzz testing by non-security people who are unfamiliar with file fuzzing tools or have never used them in their current software development processes.

MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors.