Identifying ASP pages vulnerable to SQL injection attacks using Microsoft’s Source Code Analyzer

Back in July 2008, Microsoft released the Source Code Analyzer for SQL Injection, a “static code analysis tool for finding SQL Injection vulnerabilities in ASP code.” With the large number of SQL injection attacks occurring recently, running this tool against your ASP-based web sites is important. (It’s not the only thing you should do, but it’s at least one thing you should do!)

The tool itself is composed of two command-line tools:

  • msscasi_asp.exe, which reviews an ASP file and outputs an XML file with vulnerability warnings.
  • msscasi_view.cmd, a script which opens the generated XML file for viewing in a web application window.

One limitation is that you can’t run these utilities on more than one file — but you can run each of the utilities on every ASP file on your computer by running a batch file.

Continue reading