1. I’ve used CAT.Net to analyse some projects in the past and its a great tool for spotting low hanging fruit. It should however be noted that the amount of false positives is quite high in large SAAS applications.

    Lucky for us, ASP.NET will stop most of these attacks for
    us, by filtering on HTML tags, and unicode attacks, but it is
    always a good practice to encode all output

    In the default setting ASP 2.0 and higher will filter this. However the filtering isn’t perfect (BID 20753) and there have been some patches to address this (always use a fully updated ASP.net instance). However, I still found people turning this security off (by using ValidateRequest=”false”) because they want another webpart (content editor) to work.

    Rolf Huisman

  2. i have been also used cat anlysis for some reasons and project it helps me a lot to lessen my load of works.

    cat sneezing

Comments are closed.