Identifying ASP pages vulnerable to SQL injection attacks using Microsoft’s Source Code Analyzer

Back in July 2008, Microsoft released the Source Code Analyzer for SQL Injection, a “static code analysis tool for finding SQL Injection vulnerabilities in ASP code.” With the large number of SQL injection attacks occurring recently, running this tool against your ASP-based web sites is important. (It’s not the only thing you should do, but it’s at least one thing you should do!)

The tool itself is composed of two command-line tools:

  • msscasi_asp.exe, which reviews an ASP file and outputs an XML file with vulnerability warnings.
  • msscasi_view.cmd, a script which opens the generated XML file for viewing in a web application window.

One limitation is that you can’t run these utilities on more than one file — but you can run each of the utilities on every ASP file on your computer by running a batch file.

@echo off
set startdir=d:\dev
for /r %startdir% %%i in (*.asp) do @(
	echo Researching %%i...
	msscasi_asp.exe /Input="%%i" /Output="%%i.xml" > NUL
	set filesize=""
	for /f "skip=4 tokens=4" %%a in ('dir %%i.xml') do if "%%a" NEQ "84" if "%%a" NEQ "bytes" @(
		call msscasi_view.cmd "%%i.xml" > NUL
		del %%i.xml /q

Here’s what the batch file does:

  1. Starting at the directory specified (see set startdir=d:\dev)…
  2. Find every *.asp file in all files and folders below that folder…
  3. For each file, run the SQL injection analyzer tool (msscasi_asp.exe)…
  4. If the file size of the output XML file is other than 84 bytes (the size of a file with no vulnerabilities), open the output file from the analyzer tool in the viewer (msscasi_view.cmd)…
  5. Delete the output XML.

You can use the batch file to parse an entire drive if you want. In the sample above, I’m checking every ASP file at or below the the d:\dev directory. The key step here is #4 — the vulnerability results file will only be opened if the output file is other than 84 bytes, which in my testing is the size of the XML file when there are no detected vulnerabilities.

Again, this utility is no replacement for a manual analysis of your code files. Of course, if you are worried, you can always hire my company to do a code review and to fix your vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>