Download Watcher from CodePlex. A short list of new features and improvements includes:

• A separate, optional component to export results to Team Foundation Server.
• New check to identify insecure ASP.NET VIEWSTATE configurations subject to tampering and pervasive XSS attacks.
• New check to identify insecure JavaServer MyFaces ViewState subject to tampering and XSS attacks.
• New check for Silverlight EnableHtmlAccess.
• Export results to HTML report.
• Compliance mappings to Microsoft SDL.
• If no origin domain is specified, each response domain will be treated as the origin, enabling better cross-domain analysis.
• Assorted bug fixes and improvements.

Bryan Sullivan and Patrick Toomey’s ViewStateViewer plugin [2] provided inspiration for detecting ASP.NET VIEWSTATE MAC protection. When testing .NET 4.0 we discovered a change in the MAC implementation which has also been accounted for in this check. David Byrne from Trustwave [1] provided most of the methodology ideas for detecting insecure JavaServer MyFaces ViewState.

In addition to the main developers (Robert Mooney and Samuel Bucholtz), we wanted to thank everyone who helped or provided suggestions for this release:

Hidetake Jo
Bryan Sullivan
David Byrne
Jason D. Montgomery
Dave Wichers

[1] Trustwave advisory https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
[2] ViewStateViewer plugin for Fiddler http://labs.neohapsis.com/2009/08/03/viewstateviewer-a-gui-tool-for-deserializingreserializing-viewstate/