The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code

Article ID: 954476 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article describes the Microsoft Source Code Analyzer for SQL Injection tool. You can use this static code analysis tool to find SQL injection vulnerabilities in ASP code.
Back to the top | Give Feedback

MORE INFORMATION

The Microsoft Source Code Analyzer for SQL Injection tool is a static code analysis tool that helps you find SQL injection vulnerabilities in Active Server Pages (ASP) code. This article describes how to use the tool, the warnings that are generated by the tool, and the limitations of the tool. See the tool Readme document for more information.

Prerequisites

This command-line tool requires the following software:
  • The .NET Framework 3.0

SQL injection issues in ASP code

If user-supplied data from the Request.Form or Request.Querystring collections in ASP code is used to construct dynamic SQL statements without any data validation, an attacker can inject SQL commands into an SQL statement and then misuse it. This is generally known as a First Order SQL injection vulnerability.

If user input is stored in a database by using one ASP page, and then the user input is retrieved from the database and is used to construct dynamic SQL statements in a different ASP page, an attacker can inject SQL commands into an SQL statement and then misuse it. This is generally known as a Second Order SQL injection vulnerability.

To reduce these vulnerabilities, it is best to use parameterized SQL queries. For more information about SQL injection vulnerabilities in ASP and about methods to reduce these vulnerabilities, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/cc676512.aspx
(http://msdn.microsoft.com/en-us/library/cc676512.aspx)
The Microsoft Source Code Analyzer for SQL Injection tool helps you find some of these issues automatically.

Usage

This section describes how to use the tool.

Syntax

The tool uses the following syntax:
msscasi_asp.exe [/nologo] [/quiet] [/suppress=num;..;num] [/GlobalAsaPath=path] [/IncludePaths=path;..;path] /Input=file.asp

Description

The tool analyzes ASP code for SQL injection vulnerabilities.

Parameter list

Collapse this tableExpand this table
Parameter Option Description
/GlobalAsaPathpathDisplays the path of the Global.asa file.
/IncludePathspathsDisplays semicolon-separated paths for resolving files that are included by using virtual paths.
/inputasp fileDisplays the absolute path of the ASP file that must be analyzed.
/suppress warnings Warnings are not reported.
/nologo The tool logo is not displayed.
/quietParsing errors are not displayed. When you use the /nologo and /quiet switches, only the warning messages are displayed.

Examples

MSSCASI_ASP /input="c:\source\logon.asp"

MSSCASI_ASP /GlobalAsaPath="C:\source" /input="c:\source\webitems\display.asp"

MSSCASI_ASP /GlobalAsaPath="C:\source" /input="c:\source\webitems\display.asp" /IncludePaths="C:\virtualdirectory1;C:\virtualdirectory2"

MSSCASI_ASP /input="c:\source\webitems\display.asp" /suppress="80406;80407"

Reviewing the output

The tool generates the following warnings:
Collapse this tableExpand this table
WarningDescription
80400Possible SQL injection vulnerability through data that is read from the Request object without any input validation. These warnings are very likely bugs that must be fixed.
80406Possible SQL injection vulnerability through data that is read from the Request object where the input is passed through some unknown function calls that might perform data validation. If there is no data validation performed inside the function call, these are very likely bugs. Otherwise, these are false positives.
80403Possible SQL injection vulnerability through data that comes from a back-end server. If the data is controlled by an end-user through some other Web site, these are very likely bugs. However, if the data is well trusted, these may not be bugs. It is still a good practice to parameterize these queries as part of a defense-in-depth strategy.
80407Possible SQL injection vulnerability through data that comes from a back-end server and that is passed through some unknown function calls. If the data is controlled by an end-user through some other Web sites, and if there is no data validation performed on this data, these are very likely bugs.
80420Possible SQL injection vulnerability through function parameters. These warnings are generated at function scope. Therefore, if the function parameter values come from trusted sources, these are false positives. If the parameter values are controlled by end-users, these are very likely bugs. You can use the __sql_pre_validated annotation on the function parameters to detect whether end-users can reach this code.
80421Possible SQL injection vulnerability through function parameters, and the function parameters are passed through some unknown function calls that might perform data validation. You can use the __sql_pre_validated annotation on the function parameters and __sql_validate on the validation function to detect whether end-users can reach this code.
Of all the warnings that the tool generates, the 80400 warning is the most likely to indicate actual bugs. ASP Web developers must fix these bugs by using parameterized queries. For more information about how to use parameterized SQL queries in ASP code, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/cc676512.aspx
(http://msdn.microsoft.com/en-us/library/cc676512.aspx)

Limitations

The tool has the following known limitations:
  • The tool understands only ASP code that is written in VBScript. It currently does not analyze server-side code that is written in any other languages, such as Jscript.
  • A new ASP parser was developed as part of this tool development process. However, this parser may not cover all ASP constructs. Therefore, you may see some parsing errors.
Back to the top | Give Feedback

REFERENCES

To download the Microsoft Source Code Analyzer for SQL Injection tool, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA
(http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA)
For more information about various best practices documentation, visit the following Microsoft Web site:
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
(http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx)
For more information about preventing SQL injections in ASP, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/cc676512.aspx
(http://msdn.microsoft.com/en-us/library/cc676512.aspx)
For more information about SQL injection attacks, visit the following Microsoft Web site:
http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx
(http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx)
For more information about the tool, visit the following Microsoft Web site:
http://blogs.msdn.com/sqlsecurity
(http://blogs.msdn.com/sqlsecurity)
Visit the following Microsoft Web site to discuss the tool in the MSDN SQL Security forum:
http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&SiteID=1
(http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&SiteID=1)
Back to the top | Give Feedback

Properties

Article ID: 954476 - Last Review: June 24, 2008 - Revision: 1.0
APPLIES TO
  • Microsoft ASP.NET 2.0
Keywords: 
atdownload kbexpertiseadvanced kbcode kbexpertiseinter kbinfo kbsecadvisory kbsecurity kbsecvulnerability KB954476
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top