Using CAT.NET Code Analysis Tool

by agrace 22. February 2009 09:52

The Code Analysis Tool (CAT.NET) v1 CTP came out last December and I have been meaning to try it out. There is a 32-bit Visual Studio plug-in version available, although there appears to be some issues with it at this point in time. If you are running a 64-bit machine then you can grab a 64-bit command line version - this version does not suffer from the same limitations as the 32-bit version.

CAT.NET is a static, as opposed to runtime tool. It looks at the assemblies in your project and traces the information flow from start to finish. You then get a report of what it finds in XML and HTML format. I ran it on an application I developed and located two potential XSS vulnerabilities in a library I obtained from another vendor.

CAT.NET Code Analysis Tool


This is an incredibly simple tool to use and I cannot think of any excuse not to take a few moments to run it on an application prior to going live. Think of it as one extra layer of safety.

CAT.NET Code Analysis Tool Result


Currently, it check for the following vulnerabilities:

* Cross Site Scripting
* SQL Injection
* Process Command Injection
* File Canonicalization
* Exception Information
* LDAP Injection
* XPATH Injection
* Redirection to User Controlled Site

This tool and others, such as the Anti-Cross Site Scripting Library, are developed by the Connected Information Security Group (CIGS) at Microsoft. It's definitely worth your while to check out the CIGS Team blog.

Helpful Resources:

* Cross-Site Request Forgeries and You
* How to Prevent Cross-Site Scripting in ASP.NET
* How to Protect from Injection Attacks in ASP.NET

ASP.NET SEO and the Canonical Tag

by agrace 21. February 2009 08:03

Canonical Tag Recently, Google, Microsoft and Yahoo announced support for a new canonical tag in an effort to combat duplicate urls (read duplicate content) on websites. Quite simply, you can add an HTML <link> tag to the <head> section of your page to indicate the preferred, or canonical, version of the page url.

If you have something like this:




You can have the search spider interpret it as this:


It works like a 301 redirect and is just a hint to the search spider. In other words, the other search engines are free to recognize it or not. It's mind-boggling the amount of work developers have had to do to get around this problem up to now, and it was this simple to fix at the end of the day?

To implement this for your ASP.NET products page, with its GridView of pageable, sortable widgets, you could do the following:

using System;
using System.Web.UI;
using System.Web.UI.HtmlControls;

public partial class Products : Page
    protected void Page_Load(object sender, EventArgs e)
        HtmlLink canonicalTag = new HtmlLink();
        canonicalTag.Href = "";
        canonicalTag.Attributes["rel"] = "canonical";


ASP.NET renders the following: 

    <title>Products Page</title>
    <link href="" rel="canonical" />


There is only one problem with this if you are using a XHTML doctype declaration; per the W3C recommendation, a closing slash in the <link> tag is illegal. The correct format is:

    <link href="" rel="canonical">


So where does this leave us? For me, relaxing the doctype to anything less than XHTML transitional is not an option. Does this mean we have to use an HtmlTextWriter to customize the output for this particular tag or is there some easier way? Has anyone got a suggestion or will we have to wait for a fix?

Tags: ,


Recently, I have been experiencing some difficulty applying CSS correctly to some of the OOTB (out-of-the-box) ASP.NET controls. Earlier today, I was trying to apply a CSS image border using the ASP.NET image control, but couldn't get it to render correctly. In the end, I had to use a regular HTML img tag.

CSS for Image Border

   margin: 0;
   padding: 0;

   color: #c6d3d5;
   font: 75%/1.5em Verdana, Helvetica, Geneva, &quot;Helvetica Neue&quot;, sans-serif;

   margin-left: 300px;
   width: 156px;

   padding: 3px;
   background-color: #525252;
   border: 1px solid #c3cfd3;


ASP.NET Image Control

<div class="test">
  ASP.NET Image Control:
  <asp:Image ID="Image1" ImageUrl="~/Images/fender.jpg"    
     CssClass="imageStyle" runat="server" />
  <div style="clear:both;">Incorrectly Rendered</div>


ASP.NET Image Control Anomaly


HTML Image Tag

<div class="test">
  HTML img tag:
  <img src="~/Images/fender.jpg" id="Image2" alt="Correctly Rendered"
     class="imageStyle" runat="server" />
  <div style="clear:both;">Correctly Rendered</div>


Feedback from anyone experiencing similar issues would be welcome. One of the projects on my to-do list this year is to create a custom CSS framework for use with ASP.NET sites, and this is something I'd like to get a handle on in advance. If I come across any other issues like this one, I will post them here.

Tags: ,