Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

KBAlertz.com: The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]

Search KbAlertz

Advanced Search

Webmasters
Put kbAlertz on your website.
[ Click Here for more! ]





ASP.NET 2.0 Web Hosting with SQL 2005: Click Here!
Discount ASP.NET Hosting

Bug Tracking Software
For bug tracking software or defect tracking software or issue tracking software, visit Axosoft.

Community Site


We Send hundreds of thousands of emails using ASP.NET Email


Expert Web Design & Graphic Design
Design44.com




Mentioned In







Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks



The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code

View products that this article applies to.
Article ID:954476
Last Review:June 24, 2008
Revision:1.0
On This Page

INTRODUCTION

This article describes the Microsoft Source Code Analyzer for SQL Injection tool. You can use this static code analysis tool to find SQL injection vulnerabilities in ASP code.

Back to the top

MORE INFORMATION

The Microsoft Source Code Analyzer for SQL Injection tool is a static code analysis tool that helps you find SQL injection vulnerabilities in Active Server Pages (ASP) code. This article describes how to use the tool, the warnings that are generated by the tool, and the limitations of the tool. See the tool Readme document for more information.

Back to the top

Prerequisites

This command-line tool requires the following software:
•The .NET Framework 3.0

Back to the top

SQL injection issues in ASP code

If user-supplied data from the Request.Form or Request.Querystring collections in ASP code is used to construct dynamic SQL statements without any data validation, an attacker can inject SQL commands into an SQL statement and then misuse it. This is generally known as a First Order SQL injection vulnerability.

If user input is stored in a database by using one ASP page, and then the user input is retrieved from the database and is used to construct dynamic SQL statements in a different ASP page, an attacker can inject SQL commands into an SQL statement and then misuse it. This is generally known as a Second Order SQL injection vulnerability.

To reduce these vulnerabilities, it is best to use parameterized SQL queries. For more information about SQL injection vulnerabilities in ASP and about methods to reduce these vulnerabilities, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/cc676512.aspx (http://msdn.microsoft.com/en-us/library/cc676512.aspx)
The Microsoft Source Code Analyzer for SQL Injection tool helps you find some of these issues automatically.

Back to the top

Usage

This section describes how to use the tool.

Syntax

The tool uses the following syntax:
msscasi_asp.exe [/nologo] [/quiet] [/suppress=num;..;num] [/GlobalAsaPath=path] [/IncludePaths=path;..;path] /Input=file.asp

Description

The tool analyzes ASP code for SQL injection vulnerabilities.

Parameter list

Parameter Option Description
/GlobalAsaPathpathDisplays the path of the Global.asa file.
/IncludePathspathsDisplays semicolon-separated paths for resolving files that are included by using virtual paths.
/inputasp fileDisplays the absolute path of the ASP file that must be analyzed.
/suppress warnings Warnings are not reported.
/nologo The tool logo is not displayed.
/quietParsing errors are not displayed. When you use the /nologo and /quiet switches, only the warning messages are displayed.

Examples

MSSCASI_ASP /input="c:\source\logon.asp"

MSSCASI_ASP /GlobalAsaPath="C:\source" /input="c:\source\webitems\display.asp"

MSSCASI_ASP /GlobalAsaPath="C:\source" /input="c:\source\webitems\display.asp" /IncludePaths="C:\virtualdirectory1;C:\virtualdirectory2"

MSSCASI_ASP /input="c:\source\webitems\display.asp" /suppress="80406;80407"

Reviewing the output

The tool generates the following warnings:
WarningDescription
80400Possible SQL injection vulnerability through data that is read from the Request object without any input validation. These warnings are very likely bugs that must be fixed.
80406Possible SQL injection vulnerability through data that is read from the Request object where the input is passed through some unknown function calls that might perform data validation. If there is no data validation performed inside the function call, these are very likely bugs. Otherwise, these are false positives.
80403Possible SQL injection vulnerability through data that comes from a back-end server. If the data is controlled by an end-user through some other Web site, these are very likely bugs. However, if the data is well trusted, these may not be bugs. It is still a good practice to parameterize these queries as part of a defense-in-depth strategy.
80407Possible SQL injection vulnerability through data that comes from a back-end server and that is passed through some unknown function calls. If the data is controlled by an end-user through some other Web sites, and if there is no data validation performed on this data, these are very likely bugs.
80420Possible SQL injection vulnerability through function parameters. These warnings are generated at function scope. Therefore, if the function parameter values come from trusted sources, these are false positives. If the parameter values are controlled by end-users, these are very likely bugs. You can use the __sql_pre_validated annotation on the function parameters to detect whether end-users can reach this code.
80421Possible SQL injection vulnerability through function parameters, and the function parameters are passed through some unknown function calls that might perform data validation. You can use the __sql_pre_validated annotation on the function parameters and __sql_validate on the validation function to detect whether end-users can reach this code.
Of all the warnings that the tool generates, the 80400 warning is the most likely to indicate actual bugs. ASP Web developers must fix these bugs by using parameterized queries. For more information about how to use parameterized SQL queries in ASP code, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/cc676512.aspx (http://msdn.microsoft.com/en-us/library/cc676512.aspx)

Limitations

The tool has the following known limitations:
•The tool understands only ASP code that is written in VBScript. It currently does not analyze server-side code that is written in any other languages, such as Jscript.
• A new ASP parser was developed as part of this tool development process. However, this parser may not cover all ASP constructs. Therefore, you may see some parsing errors.

Back to the top

REFERENCES

To download the Microsoft Source Code Analyzer for SQL Injection tool, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA (http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA)
For more information about various best practices documentation, visit the following Microsoft Web site:
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx (http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx)
For more information about preventing SQL injections in ASP, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/cc676512.aspx (http://msdn.microsoft.com/en-us/library/cc676512.aspx)
For more information about SQL injection attacks, visit the following Microsoft Web site:
http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx (http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx)
For more information about the tool, visit the following Microsoft Web site:
http://blogs.msdn.com/sqlsecurity (http://blogs.msdn.com/sqlsecurity)
Visit the following Microsoft Web site to discuss the tool in the MSDN SQL Security forum:
http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&SiteID=1 (http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&SiteID=1)

Back to the top

APPLIES TO
•Microsoft ASP.NET 2.0

Back to the top

Keywords: 
atdownload kbexpertiseadvanced kbcode kbexpertiseinter kbinfo kbsecadvisory kbsecurity kbsecvulnerability KB954476

Back to the top

        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Be the first to leave feedback, to help others about this knowledge base article.

(Optional) Name
(Optional) Public URL Or Email
Comments
No HTML -- Text Only Please

 



Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting