Microsoft ASP Code Analyzer for SQL Injection

Snitz™ Forums 2000
https://forum.snitz.com/forumTopic/Posts/67379?pagenum=1
05 November 2025, 05:15

Topic

ruirib
Microsoft ASP Code Analyzer for SQL Injection
01 July 2008, 02:44


Haven't really tested it, but it's interesting nonetheless:

http://support.microsoft.com/kb/954476<

 

Replies ...

HuwR
01 July 2008, 04:17


looks pretty good, I tried it against a file I knew was vunerable and it found the problem.

I then ran it against the base forum files which were ALL ok<
ruirib
01 July 2008, 04:26


Yeah, it may help with the recent batch of SQL Injection attacks. The info about the forum files is reassuring, even more so because it confirms my own findings on the 2 or 3 times I ran a manual analysis smile.<
AnonJr
01 July 2008, 07:59


I haven't had a chance to read the directions in-depth, but it looks like it only checks one page at a time. Did you guys set up a batch file or some other automation script to run it through all the files?<
HuwR
01 July 2008, 08:05


no, I did it by hand smile you don't need to do the inc_xxxxx files as it does that for you<
Podge
01 July 2008, 08:13


Bummer. I just have dotnet 1.1 at work. Have to wait until I get home to try it.<
HuwR
01 July 2008, 08:15


it is definately the best one I have tried so far, the last ones I tried were worse than useless.<
AnonJr
01 July 2008, 11:17


Looks like they posted some VBScript to run through a directory - from http://blogs.msdn.com/sqlsecurity/archive/2008/06/27/getting-started-with-microsoft-source-code-analyzer-for-sql-injection.aspx

Code:
ON ERROR RESUME NEXT

 

If WScript.Arguments.Count = 0 Then

   WScript.Echo "Usage: " + WScript.ScriptName + " sourcedirectory"

   WScript.Quit(0)

End If

 

ProcessFolder WScript.Arguments(0)

 

Sub ProcessFolder(ByVal folderspec)

   Dim fso, f, f1, fc, s, sf

   Dim strInputFile

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFolder(folderspec)

   Set fc = f.Files

 

   For Each f1 in fc

        If StrComp(LCase(Mid (f1,Len(f1)-3,4)), ".asp") = 0 Then

 

            strInputFile = f1.Path 'f.Path + "\" + f1

            ASPScan (strInputFile)

        End If

   Next

   

   Set sf = f.SubFolders

   For Each f2 in sf

          ProcessFolder f2.Path

   Next

End Sub

 

Sub ASPScan (ByVal strInputFile)

    ON ERROR RESUME NEXT

    Err.Clear

    

      Dim WshShell, oExec

      Dim strCommand

      Dim sTime, strBinary

      

      GenerateSQLInjectionFile = true

      Set WshShell = CreateObject("WScript.Shell")

 

    strBinary = GetShortFolderName (GetScriptPath()) + "\" + GetShortFileName ("msscasi_asp.exe")

    strCommand = "cmd.exe /c " + strBinary + " /input=""" + strInputFile + """ /Nologo >>" + GetShortFolderName (GetScriptPath()) + "\output.txt"

 

      Set oExec = WshShell.Exec(strCommand)

 

    sTime = Now   

      Do While (oExec.Status = 0) 

             WScript.Sleep 1000

      Loop

 

      Set oExec = Nothing

      Set WshShell = Nothing

End Sub

 

Function GetScriptPath ()

    Dim strPath

    strPath = WScript.ScriptFullName

    strPath = Mid (strPath, 1, InstrRev(strPath,"\")-1)

    GetScriptPath = strPath

End Function

 

Function GetShortFolderName(ByVal filespec)

   Dim fso, f, s

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFolder(filespec)

   GetShortFolderName = f.ShortPath

End Function

 

Function GetShortFileName(ByVal filespec)

   Dim fso, f, s

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFile(filespec)

   GetShortFileName = f.ShortName 

End Function


Create a VBScript file (.vbs) with the above content, place it in the folder where the tool is located and execute the script providing absolute path of the folder containing ASP code. The script will generate the file output.txt with the concatenated tool output in the folder where the tool and script files are located. Please modify the script according to your needs, for example, if your ASP code uses virtual file includes or if you have a global.asa then you will need to pass /IncludePaths and /GlobalAsaPaths parameters to the tool in ASPScan function.
<
HuwR
01 July 2008, 11:22


cool, although it didn't take very long to run through the forum files by hand, without the inc_xxxxx files and the admin files there are only about 30 files that need testing<
ruirib
01 July 2008, 13:46


This tool and Microsoft's support for it are looking pretty good. This can really make a difference in protecting ASP files against SQL Injection.<
HuwR
01 July 2008, 14:10


yes, seems to work spot on too.<
RArch
01 July 2008, 17:35


Guys what am I doing wrong! ?
=== DOS box ===
C:\forum>MSSCASI_ASP.exe /input="post_info.asp"
Microsoft (R) Source Code Analyzer for SQL Injection Version 1.3.30601.30622
Copyright (C) Microsoft Corporation. All rights reserved.
** msscasi_asp failure: Count must be positive and count must refer to a location within the string/array/collection. Parameter name: count
** msscasi_asp failure: cannot load file "post_info.asp". =================

I've moved the forum folder under to the root of C since it was nested very deep with My Documents. I've tried adding the path to msscasi_asp to the environment variable path, also tried with the files within the forum folder and I still get the same error!
Any ideas? <
RArch
01 July 2008, 17:37


Also tried the following but I get the same error!
MSSCASI_ASP.exe /input="c:\forum\post_info.asp"<
ruirib
01 July 2008, 18:20


Please don't use this thread to ask for help using the tool. This is an Announcements thread. The tool has a readme file and is supported by Microsoft.
I would add that the app doesn't need to be in the same folder as the asp files, but the readme has all the relevant info.<
Astralis
02 July 2008, 14:50


This is good. I had a dream last night that I found that "script" injection all over my sites again. It requires NET 3.0, but does anyone know if you have NET 3.5, will it matter?<
AnonJr
02 July 2008, 14:56


Last I checked, it shouldn't matter... but we all know how that goes. tongue<
HuwR
02 July 2008, 15:49


Originally posted by Astralis
This is good. I had a dream last night that I found that "script" injection all over my sites again. It requires NET 3.0, but does anyone know if you have NET 3.5, will it matter?
no it won't matter, I have all versions of .net installed<
Etymon
07 August 2008, 17:40


Guys,

How accurate is this tool? I mean, if I run it against installed MODs and such and it says they are OK, can I leave it at that or is there something more I need to do?<
ruirib
07 August 2008, 18:17


You can trust the holes it finds, but if it fails to find any, you cannot conclude the code is bug free. Manual analysis is the only way to be sure the code is safe.<
Etymon
10 August 2008, 04:29


Just an FYI ...
Microsoft upgraded the tool to version 1.3 in mid-July and downgraded the .NET requirement within this version from 3.0 to 2.0.<
Lon2
16 January 2009, 18:01


Thanks for the info, Rui! I'll shoot one back at ya. I've used Scrawlr to help find a few vulnerabilities in our applications. Appearantly Hewlett Packard was contracted by Microsoft to help come up with some SQL Injection Tools and they offer this one as a freebie now. For whatever it's worth.
Download: https://download.spidynamics.com/products/scrawlr/
Forum: http://www.communities.hp.com/securitysoftware/forums/198.aspx

<
ruirib
16 January 2009, 19:08


Thanks for the info smile.<
© 2000-2021 Snitz™ Communications