locked
Source Code Analyzer for SQL Injection - XSS Equivalent to combat Cross-Site Scripting ? RRS feed

  • General discussion

  • Hi
    I really appreciate the Source Code Analyzer for SQL Injection - great tool.
    I realise it's not related to SQL Server, but I wondered if the same team had considered coming up with an equivalent for Cross-Site Scripting (XSS) ?

    The static code analysis that detects which user inputs appear in SQL string output
    would seem to be similar to anaysis to detect which user input appears in Response.Write or <%=variableName%>.

    I am sure the same code library (ANTLR) could be used.

    Any thoughts ?

    I note
    http://technet.microsoft.com/en-us/library/cc750326.aspx
    Due to the great variation in customization of web code, there are no automated tools currently available to assist in this process.

    and I'm sure it will never be 100% watertight,
    but it would help to prioritize obvious vulnerabilities !

    Thanks for your time and consideration !

    Eric
    • Changed type Alex Feng (SQL) Monday, February 1, 2010 8:27 AM Better to be a discussion topic
    Friday, January 29, 2010 11:09 AM

All replies