Back in July 2008, Microsoft released the Source Code Analyzer for SQL Injection, a “static code analysis tool for finding SQL Injection vulnerabilities in ASP code.” With the large number of SQL injection attacks occurring recently, running this tool against your ASP-based web sites is important. (It’s not the only thing you should do, but it’s at least one thing you should do!)
The tool itself is composed of two command-line tools:
msscasi_asp.exe
, which reviews an ASP file and outputs an XML file with vulnerability warnings.msscasi_view.cmd
, a script which opens the generated XML file for viewing in a web application window.
One limitation is that you can’t run these utilities on more than one file — but you can run each of the utilities on every ASP file on your computer by running a batch file.