Using CAT.NET Code Analysis Tool

by agrace 22. February 2009 09:52

The Code Analysis Tool (CAT.NET) v1 CTP came out last December and I have been meaning to try it out. There is a 32-bit Visual Studio plug-in version available, although there appears to be some issues with it at this point in time. If you are running a 64-bit machine then you can grab a 64-bit command line version - this version does not suffer from the same limitations as the 32-bit version.

CAT.NET is a static, as opposed to runtime tool. It looks at the assemblies in your project and traces the information flow from start to finish. You then get a report of what it finds in XML and HTML format. I ran it on an application I developed and located two potential XSS vulnerabilities in a library I obtained from another vendor.

CAT.NET Code Analysis Tool


This is an incredibly simple tool to use and I cannot think of any excuse not to take a few moments to run it on an application prior to going live. Think of it as one extra layer of safety.

CAT.NET Code Analysis Tool Result


Currently, it check for the following vulnerabilities:

* Cross Site Scripting
* SQL Injection
* Process Command Injection
* File Canonicalization
* Exception Information
* LDAP Injection
* XPATH Injection
* Redirection to User Controlled Site

This tool and others, such as the Anti-Cross Site Scripting Library, are developed by the Connected Information Security Group (CIGS) at Microsoft. It's definitely worth your while to check out the CIGS Team blog.

Helpful Resources:

* Cross-Site Request Forgeries and You
* How to Prevent Cross-Site Scripting in ASP.NET
* How to Protect from Injection Attacks in ASP.NET

SQL Injection I recently posted about 500,000 sites having been subjected to SQL injection attacks. For the most part, these were old ASP sites. Frankly, I didn't realize there were that many ASP sites still in existence, let alone badly coded! However, both PHP and ASP.NET sites were attacked also. Let's be clear about this: we are talking about bad coding practices here and not about any specific security flaw per-se.

Apparently the saga continues; although I don't have exact figures, there was another rise in attacks in May. Suffice to say that Microsoft saw fit to release a security advisory (954462) on Tuesday, 06-24-2008. Microsoft also enlisted the help of HP to develop a free scanner, called Scrawlr, which can identify whether sites are susceptible to SQL injection. Microsoft also announced the availability of a SQL Injection tool; a static code analysis tool to help find SQL injection vulnerabilities in older Active Server Pages (ASP) code.

 * Microsoft Source Code Analyzer for SQL Injection Tool
 * Microsoft Security Advisory (954462)

You can find plenty of informative links on good coding practices by visiting these two sites, so I'm not going to repeat them here. There is no need for somebody to have a site that is this vulnerable. It's not about spending more money upgrading your version of ASP.NET; it's about employing responsible programmers. The tools mentioned here are basically stopgap measures to buy some time before implementing a more robust solution. What price your data?