CAT.NET is a snap-in to the Visual Studio IDE that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each. It finally displays the issues its finds in a list that you can use to jump directly to the places in your application's source code where those issues were found.
The following rules are currently support by this version of the tool.
- Cross Site Scripting (XSS)
- SQL Injection
- Process Command Injection
- File Canonicalization
- Exception Information
- LDAP Injection
- XPATH Injection
- Redirection to User Controlled Site
Microsoft Code Analysis Tool .NET (CAT.NET)是微軟正在開測試階段的程式碼分析工具,安裝後會與 Viusal Stduio 2008 結合,透過 CAT.NET 可以分析專案中有潛在危險的程式碼片段,並產生報告(HTML 與 Excel 檔案)。
Tools –> CAT.NET Code Analysis
執行畫面:
工具列說明:
