Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
 All Forums
 Announcements
 Announcements: Community
 Microsoft ASP Code Analyzer for SQL Injection

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!
Before posting, make sure you have read this topic!

Screensize:
UserName:
Password:
Format Mode:
Format: BoldItalicizedUnderlineStrikethrough Align LeftCenteredAlign Right Horizontal Rule Insert HyperlinkInsert EmailInsert Image Insert CodeInsert QuoteInsert List
   
Message:

* HTML is OFF
* Forum Code is ON
Smilies
Smile [:)] Big Smile [:D] Cool [8D] Blush [:I]
Tongue [:P] Evil [):] Wink [;)] Clown [:o)]
Black Eye [B)] Eight Ball [8] Frown [:(] Shy [8)]
Shocked [:0] Angry [:(!] Dead [xx(] Sleepy [|)]
Kisses [:X] Approve [^] Disapprove [V] Question [?]

 
   

T O P I C    R E V I E W
ruirib Posted - 01 July 2008 : 02:44:41
Haven't really tested it, but it's interesting nonetheless:

http://support.microsoft.com/kb/954476<
15   L A T E S T    R E P L I E S    (Newest First)
ruirib Posted - 16 January 2009 : 19:08:17
Thanks for the info .<
Lon2 Posted - 16 January 2009 : 18:01:09
Thanks for the info, Rui! I'll shoot one back at ya. I've used Scrawlr to help find a few vulnerabilities in our applications. Appearantly Hewlett Packard was contracted by Microsoft to help come up with some SQL Injection Tools and they offer this one as a freebie now. For whatever it's worth.

Download: https://download.spidynamics.com/products/scrawlr/
Forum: http://www.communities.hp.com/securitysoftware/forums/198.aspx

<
Etymon Posted - 10 August 2008 : 04:29:45
Just an FYI ...

Microsoft upgraded the tool to version 1.3 in mid-July and downgraded the .NET requirement within this version from 3.0 to 2.0.<
ruirib Posted - 07 August 2008 : 18:17:03
You can trust the holes it finds, but if it fails to find any, you cannot conclude the code is bug free. Manual analysis is the only way to be sure the code is safe.<
Etymon Posted - 07 August 2008 : 17:40:44
Guys,

How accurate is this tool? I mean, if I run it against installed MODs and such and it says they are OK, can I leave it at that or is there something more I need to do?<
HuwR Posted - 02 July 2008 : 15:49:54
quote:
Originally posted by Astralis

This is good. I had a dream last night that I found that "script" injection all over my sites again. It requires NET 3.0, but does anyone know if you have NET 3.5, will it matter?

no it won't matter, I have all versions of .net installed<
AnonJr Posted - 02 July 2008 : 14:56:44
Last I checked, it shouldn't matter... but we all know how that goes. <
Astralis Posted - 02 July 2008 : 14:50:17
This is good. I had a dream last night that I found that "script" injection all over my sites again. It requires NET 3.0, but does anyone know if you have NET 3.5, will it matter?<
ruirib Posted - 01 July 2008 : 18:20:34
Please don't use this thread to ask for help using the tool. This is an Announcements thread. The tool has a readme file and is supported by Microsoft.

I would add that the app doesn't need to be in the same folder as the asp files, but the readme has all the relevant info.<
RArch Posted - 01 July 2008 : 17:37:13
Also tried the following but I get the same error!

MSSCASI_ASP.exe /input="c:\forum\post_info.asp"<
RArch Posted - 01 July 2008 : 17:35:27
Guys what am I doing wrong! ?

=== DOS box ===
C:\forum>MSSCASI_ASP.exe /input="post_info.asp"
Microsoft (R) Source Code Analyzer for SQL Injection Version 1.3.30601.30622
Copyright (C) Microsoft Corporation. All rights reserved.

** msscasi_asp failure: Count must be positive and count must refer to a location within the string/array/collection.
Parameter name: count
** msscasi_asp failure: cannot load file "post_info.asp".
=================

I've moved the forum folder under to the root of C since it was nested very deep with My Documents. I've tried adding the path to msscasi_asp to the environment variable path, also tried with the files within the forum folder and I still get the same error!

Any ideas?
<
HuwR Posted - 01 July 2008 : 14:10:53
yes, seems to work spot on too.<
ruirib Posted - 01 July 2008 : 13:46:23
This tool and Microsoft's support for it are looking pretty good. This can really make a difference in protecting ASP files against SQL Injection.<
HuwR Posted - 01 July 2008 : 11:22:03
cool, although it didn't take very long to run through the forum files by hand, without the inc_xxxxx files and the admin files there are only about 30 files that need testing<
AnonJr Posted - 01 July 2008 : 11:17:55
Looks like they posted some VBScript to run through a directory - from http://blogs.msdn.com/sqlsecurity/archive/2008/06/27/getting-started-with-microsoft-source-code-analyzer-for-sql-injection.aspx

ON ERROR RESUME NEXT

 

If WScript.Arguments.Count = 0 Then

   WScript.Echo "Usage: " + WScript.ScriptName + " sourcedirectory"

   WScript.Quit(0)

End If

 

ProcessFolder WScript.Arguments(0)

 

Sub ProcessFolder(ByVal folderspec)

   Dim fso, f, f1, fc, s, sf

   Dim strInputFile

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFolder(folderspec)

   Set fc = f.Files

 

   For Each f1 in fc

        If StrComp(LCase(Mid (f1,Len(f1)-3,4)), ".asp") = 0 Then

 

            strInputFile = f1.Path 'f.Path + "\" + f1

            ASPScan (strInputFile)

        End If

   Next

   

   Set sf = f.SubFolders

   For Each f2 in sf

          ProcessFolder f2.Path

   Next

End Sub

 

Sub ASPScan (ByVal strInputFile)

    ON ERROR RESUME NEXT

    Err.Clear

    

      Dim WshShell, oExec

      Dim strCommand

      Dim sTime, strBinary

      

      GenerateSQLInjectionFile = true

      Set WshShell = CreateObject("WScript.Shell")

 

    strBinary = GetShortFolderName (GetScriptPath()) + "\" + GetShortFileName ("msscasi_asp.exe")

    strCommand = "cmd.exe /c " + strBinary + " /input=""" + strInputFile + """ /Nologo >>" + GetShortFolderName (GetScriptPath()) + "\output.txt"

 

      Set oExec = WshShell.Exec(strCommand)

 

    sTime = Now   

      Do While (oExec.Status = 0) 

             WScript.Sleep 1000

      Loop

 

      Set oExec = Nothing

      Set WshShell = Nothing

End Sub

 

Function GetScriptPath ()

    Dim strPath

    strPath = WScript.ScriptFullName

    strPath = Mid (strPath, 1, InstrRev(strPath,"\")-1)

    GetScriptPath = strPath

End Function

 

Function GetShortFolderName(ByVal filespec)

   Dim fso, f, s

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFolder(filespec)

   GetShortFolderName = f.ShortPath

End Function

 

Function GetShortFileName(ByVal filespec)

   Dim fso, f, s

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFile(filespec)

   GetShortFileName = f.ShortName 

End Function


quote:
Create a VBScript file (.vbs) with the above content, place it in the folder where the tool is located and execute the script providing absolute path of the folder containing ASP code. The script will generate the file output.txt with the concatenated tool output in the folder where the tool and script files are located. Please modify the script according to your needs, for example, if your ASP code uses virtual file includes or if you have a global.asa then you will need to pass /IncludePaths and /GlobalAsaPaths parameters to the tool in ASPScan function.
<

Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.05 seconds. Powered By: Snitz Forums 2000 Version 3.4.07