Snitz Forums 2000 - Microsoft ASP Code Analyzer for SQL Injection

Snitz Forums 2000

Snitz Forums 2000

Home | Profile | Register | Active Topics | Members | Search | FAQ

Username:	Password:
Save Password
Forgot your Password?

All Forums

Announcements

Announcements: Community

Microsoft ASP Code Analyzer for SQL Injection

New Topic

Reply to Topic

Printer Friendly

Author

Topic

Page: of 2

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 01 July 2008 : 02:44:41

Haven't really tested it, but it's interesting nonetheless:

http://support.microsoft.com/kb/954476<

Snitz 3.4 Readme | Like the support? Support Snitz too

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 01 July 2008 : 04:17:13

looks pretty good, I tried it against a file I knew was vunerable and it found the problem.

I then ran it against the base forum files which were ALL ok<

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 01 July 2008 : 04:26:23

Yeah, it may help with the recent batch of SQL Injection attacks.
The info about the forum files is reassuring, even more so because it confirms my own findings on the 2 or 3 times I ran a manual analysis

.<

Snitz 3.4 Readme | Like the support? Support Snitz too

AnonJr
Moderator

United States
5768 Posts

Posted - 01 July 2008 : 07:59:20

I haven't had a chance to read the directions in-depth, but it looks like it only checks one page at a time. Did you guys set up a batch file or some other automation script to run it through all the files?<

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 01 July 2008 : 08:05:13

no, I did it by hand

you don't need to do the inc_xxxxx files as it does that for you<

Podge
Support Moderator

Ireland
3775 Posts

Posted - 01 July 2008 : 08:13:33

Bummer. I just have dotnet 1.1 at work. Have to wait until I get home to try it.<

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 01 July 2008 : 08:15:04

it is definately the best one I have tried so far, the last ones I tried were worse than useless.<

AnonJr
Moderator

United States
5768 Posts

Posted - 01 July 2008 : 11:17:55

Looks like they posted some VBScript to run through a directory - from http://blogs.msdn.com/sqlsecurity/archive/2008/06/27/getting-started-with-microsoft-source-code-analyzer-for-sql-injection.aspx

ON ERROR RESUME NEXT

 

If WScript.Arguments.Count = 0 Then

   WScript.Echo "Usage: " + WScript.ScriptName + " sourcedirectory"

   WScript.Quit(0)

End If

 

ProcessFolder WScript.Arguments(0)

 

Sub ProcessFolder(ByVal folderspec)

   Dim fso, f, f1, fc, s, sf

   Dim strInputFile

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFolder(folderspec)

   Set fc = f.Files

 

   For Each f1 in fc

        If StrComp(LCase(Mid (f1,Len(f1)-3,4)), ".asp") = 0 Then

 

            strInputFile = f1.Path 'f.Path + "\" + f1

            ASPScan (strInputFile)

        End If

   Next

   

   Set sf = f.SubFolders

   For Each f2 in sf

          ProcessFolder f2.Path

   Next

End Sub

 

Sub ASPScan (ByVal strInputFile)

    ON ERROR RESUME NEXT

    Err.Clear

    

      Dim WshShell, oExec

      Dim strCommand

      Dim sTime, strBinary

      

      GenerateSQLInjectionFile = true

      Set WshShell = CreateObject("WScript.Shell")

 

    strBinary = GetShortFolderName (GetScriptPath()) + "\" + GetShortFileName ("msscasi_asp.exe")

    strCommand = "cmd.exe /c " + strBinary + " /input=""" + strInputFile + """ /Nologo >>" + GetShortFolderName (GetScriptPath()) + "\output.txt"

 

      Set oExec = WshShell.Exec(strCommand)

 

    sTime = Now   

      Do While (oExec.Status = 0) 

             WScript.Sleep 1000

      Loop

 

      Set oExec = Nothing

      Set WshShell = Nothing

End Sub

 

Function GetScriptPath ()

    Dim strPath

    strPath = WScript.ScriptFullName

    strPath = Mid (strPath, 1, InstrRev(strPath,"\")-1)

    GetScriptPath = strPath

End Function

 

Function GetShortFolderName(ByVal filespec)

   Dim fso, f, s

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFolder(filespec)

   GetShortFolderName = f.ShortPath

End Function

 

Function GetShortFileName(ByVal filespec)

   Dim fso, f, s

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFile(filespec)

   GetShortFileName = f.ShortName 

End Function

quote:
Create a VBScript file (.vbs) with the above content, place it in the folder where the tool is located and execute the script providing absolute path of the folder containing ASP code. The script will generate the file output.txt with the concatenated tool output in the folder where the tool and script files are located. Please modify the script according to your needs, for example, if your ASP code uses virtual file includes or if you have a global.asa then you will need to pass /IncludePaths and /GlobalAsaPaths parameters to the tool in ASPScan function.

<

Edited by - AnonJr on 01 July 2008 11:18:51

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 01 July 2008 : 11:22:03

cool, although it didn't take very long to run through the forum files by hand, without the inc_xxxxx files and the admin files there are only about 30 files that need testing<

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 01 July 2008 : 13:46:23

This tool and Microsoft's support for it are looking pretty good. This can really make a difference in protecting ASP files against SQL Injection.<

Snitz 3.4 Readme | Like the support? Support Snitz too

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 01 July 2008 : 14:10:53

yes, seems to work spot on too.<

RArch
Junior Member

United Kingdom
103 Posts

Posted - 01 July 2008 : 17:35:27

Guys what am I doing wrong! ?

=== DOS box ===
C:\forum>MSSCASI_ASP.exe /input="post_info.asp"
Microsoft (R) Source Code Analyzer for SQL Injection Version 1.3.30601.30622
Copyright (C) Microsoft Corporation. All rights reserved.

** msscasi_asp failure: Count must be positive and count must refer to a location within the string/array/collection.
Parameter name: count
** msscasi_asp failure: cannot load file "post_info.asp".
=================

I've moved the forum folder under to the root of C since it was nested very deep with My Documents. I've tried adding the path to msscasi_asp to the environment variable path, also tried with the files within the forum folder and I still get the same error!

Any ideas?
<

RArch
Junior Member

United Kingdom
103 Posts

Posted - 01 July 2008 : 17:37:13

Also tried the following but I get the same error!

MSSCASI_ASP.exe /input="c:\forum\post_info.asp"<

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 01 July 2008 : 18:20:34

Please don't use this thread to ask for help using the tool. This is an Announcements thread. The tool has a readme file and is supported by Microsoft.

I would add that the app doesn't need to be in the same folder as the asp files, but the readme has all the relevant info.<

Snitz 3.4 Readme | Like the support? Support Snitz too

Astralis
Senior Member

USA
1218 Posts

Posted - 02 July 2008 : 14:50:17

This is good. I had a dream last night that I found that "script" injection all over my sites again. It requires NET 3.0, but does anyone know if you have NET 3.5, will it matter?<

AnonJr
Moderator

United States
5768 Posts

Posted - 02 July 2008 : 14:56:44

Last I checked, it shouldn't matter... but we all know how that goes.

<

Page: of 2

Topic

New Topic

Reply to Topic

Printer Friendly

Jump To:

Snitz Forums 2000

© 2000-2021 Snitz™ Communications

This page was generated in 0.11 seconds.

Powered By: Snitz Forums 2000 Version 3.4.07