Microsoft Source Code Analyzer for SQL Injection Tool - Find SQL Injection Problems

SQL Injection is probably a huge problem today, especially given all the old classic ASP websites sitting around on the internet that were built when ASP Website Security was less discussed and the frameworks and tools themselves didn't offer much help with SQL Injection like you get with ASP.NET.

Over the past few months I have been involved in a pretty large conversion of a classic ASP and VBScript Website to ASP.NET Webforms and C#. The website had all kinds of problems wth respect to SQL Injection and Cross-Site Scripting that I am surprised it made it all these years with no incidences.

In this case the lack of parameterized queries, proper input validation, and HTML encoding was pretty obvious. There were hackish attempts to detect malicious input in form values and querystrings, but they were nothing compared to using Regular Expressions and various validation frameworks, like the Enterprise Library Validation Application Block.

To be fair this website had been running for years and I don't know anyone worth their salt that wouldn't look back at their own code after several years and think of a number of improvements. The volatile topics of ASP.NET Website Security is such a moving target that it is hard to stay up on the best practices.

Microsoft Source Code Analyzer for SQL Injection Tool

While I was surfing today I bumped into a tool by Microsoft that might be of value to those web developers dealing with maintaining, improving, or threat modeling classic ASP websites, called Microsoft Source Code Analyzer for SQL Injection Tool.

It only targets Classic ASP Websites that use VBScript. It will attempt to detect SQL Injection vulnerabilities in the code. Note I have not used it as I have no need for it at this moment, but I definitely would have given it a try if I had know about it a couple months ago when neck keep into ASP and VBScript Code.

The tool will apparently generate the following warnings if SQL Injection problems are detected with the page:

• 80400 - Possible SQL injection vulnerability through data that is read from the Request object without any input validation. These warnings are very likely bugs that must be fixed.
• 80406 - Possible SQL injection vulnerability through data that is read from the Request object where the input is passed through some unknown function calls that might perform data validation. If there is no data validation performed inside the function call, these are very likely bugs. Otherwise, these are false positives.
• 80403 - Possible SQL injection vulnerability through data that comes from a back-end server. If the data is controlled by an end-user through some other Web site, these are very likely bugs. However, if the data is well trusted, these may not be bugs. It is still a good practice to parameterize these queries as part of a defense-in-depth strategy.
• 80407 - Possible SQL injection vulnerability through data that comes from a back-end server and that is passed through some unknown function calls. If the data is controlled by an end-user through some other Web sites, and if there is no data validation performed on this data, these are very likely bugs.
• 80420 - Possible SQL injection vulnerability through function parameters. These warnings are generated at function scope. Therefore, if the function parameter values come from trusted sources, these are false positives. If the parameter values are controlled by end-users, these are very likely bugs. You can use the __sql_pre_validated annotation on the function parameters to detect whether end-users can reach this code.
• 80421 - Possible SQL injection vulnerability through function parameters, and the function parameters are passed through some unknown function calls that might perform data validation. You can use the __sql_pre_validated annotation on the function parameters and __sql_validate on the validation function to detect whether end-users can reach this code.

If you are in charge of any Classic ASP VbScript websites and want to double-check your SQL Injection vulnerabilities, it could never hurt to use the Microsoft Source Code Analyzer for SQL Injection Tool. Better safe than sorry :)

Download it here.

SQL Injection Tutorials

• SQL Injection Attacks Tool - Download UrlScan 3.0 - ASP.NET Security Best Practices
• SQL Injection Attacks - Parameterized Queries - Regular Expressions - ASP.NET Security Best Practices
• Website Security - ASP.NET Security - SQL Injection Attacks
• SQL Injection Attacks - Testing Vulnerabilities - Validating Input - Handling Exceptions - Hashing Passwords - Encrypting Connection Strings
• Microsoft Developer Security Resource Kit - Security Best Practices CheckLists and Developer Tools
• Encrypt Connection Strings AppSettings and Web.Config in ASP.NET 2.0 - Security Best Practices
• Cross-Site Scripting - ASP.NET Security - RegularExpressionValidator Control and Regex.IsMatch - HttpUtility.HtmlEncode
• .NET Security Risks and Vulnerabilities - Digital Blackbelt Series - Defend Your .NET Code

Topics

• Acceptance Test Engineering Guidance
• Application Architecture Guide
• ASP.NET MVC Framework
• Composite Application Guidance for WPF
• Enterprise Library
• Managed Extensibility Framework
• Prism
• Repository Factory
• Smart Client Software Factory
• Unity
• Web Client Software Factory
• Web Service Software Factory

Popular Tags

• AcceptanceTestGuidance
• ADODataServices
• ADONET
• ADONETEntityFramework
• Agile
• AJAX
• AltNetConf
• AOP
• ApplicationArchitectureGuide
• ApplicationBlockSoftwareFactory
• AppSettings
• ArchitectureJournal
• ArchitectureJournalReader
• ArgumentValidationException
• AuthorizationRulesService
• AuthorizationService
• AutocompleteGuidanceBundle
• Autofac
• BlackBerryStorm
• Caliburn
• CastleActiveRecord
• CastleWindsor
• CodeContracts
• CodeGeneration
• CompositeApplicationLibrary
• CompositeWebApplicationBlock
• CompositeWebClientAutomation
• ConfigurationSectionEncryption
• ContextAutoCompleteExtender
• CrossSiteScripting
• DataAccessApplicationBlock
• DataAccessBlockExtension
• DataAccessGuidancePackage
• DataAccessLayer
• DataContract
• DayOfPnP
• DependencyInjection
• DesignByContract
• DSL
• DynamicData
• DynamicProxy
• EnterpriseLibrary
• EnterpriseLibrary4
• EnterpriseLibrary5
• EnterpriseLibraryCoreExtension
• EntityFramework
• EntLibConfigurationEditor
• EnvironmentalOverrides
• F#
• Frameworks
• FSharp
• Gallio
• GAT
• GAX
• GuidanceBundles
• GuidanceExplorer
• IASA
• IControllerFactory
• IoC
• iPhone
• IronPython
• jQuery
• LightSpeed
• LinFu
• LINQ
• LinqToSql
• LoggingApplicationBlock
• LoggingBlockExtension
• ManagedExtensibilityFramework
• MassTransit
• MembershipProvider
• MessageTemplateTokens
• ModelViewPresenter
• ModularityBundle
• ModuleInitializer
• Moq
• MSMQ
• MVC
• MVPBundle
• NetFramework4
• NHibernate
• Ninject
• NServiceBus
• ObjectBuilder
• ObjectContainerDataSource
• OrlandoCodeCamp
• ORMapper
• PageFlowApplicationBlock
• PartialClasses
• PassiveView
• PerformanceTesting
• PolicyInjectionApplicationBlock
• PostSharp
• Prism
• PropertyProxyValidator
• Rails
• RealTimeSearchMonitor
• Reflector
• ReSharper
• RhinoMocks
• RhinoServiceBus
• RoleProvider
• Ruby
• SCSF
• SCSFContrib
• SearchBundle
• SecurityApplicationBlock
• ServerSideValidationExtender
• ServiceContract
• ServiceFactory
• Sharepoint
• Silverlight
• SimpleStateMachine
• SiteMapBuilderService
• SoftwareFactories
• Speaking
• SpecSharp
• SpringFramework
• SQLInjection
• SQLSaturday
• SQLServer
• SQLServer2008
• StateValue
• StaticFactoryExtension
• StructureMap
• StyleCop
• Subversion
• SupervisingController
• T4
• TD
• TDD
• TFSPowerTools
• Tools
• TreeSurgeon
• Typemock
• UnitTesing
• UnitTesting
• Unity
• Unity2
• ValidationApplicationBlock
• ValidationCallHandler
• ValidationGuidanceBundle
• Velocity
• VisualStudio
• VisualStudio2010
• Volta
• WCF
• WCFSecurity
• WCSF
• WCSFContrib
• WebClientAuthorizationModule
• WF
• Windows7
• WindowsAzure
• WPF
• WPFCompositeClient
• XNA
• xUnit
• Zune

Recent Links

• Windows Phone 7 Developer Tools and Training Kit
• Enterprise Library 5 and Unity 2 Beta 2 Downloads
• Installing Software on Web Servers and Desktop PC's using Web Platform Installer
• Spark View Engine Updated for ASP.NET MVC 2 RTM
• ASP.NET MVC 2 Source Code and Futures Downloads Available - Visual Studio 2008
• Download ASP.NET MVC 2 RTM for Visual Studio 2008
• Mac Web Design with RapidWeaver - Create a Blog
• Sharpy ASP.NET MVC View Engine like PHP View Engine Smarty
• PHP and Web Developer IDE - WebStorm and PhpStorm
• ASP.NET 4 Web Forms Routing
• What's New in ASP.NET 4 at Orlando Code Camp
• YouTube Software Development Kit for .NET Developers
• Leveraging ASP.NET MVC - Web Forms - DynamicData - Castle ActiveRecord
• Sarasota Web Development Group - First Meeting Recap
• Enterprise Library 5 ConfigurationSourceBuilder and Fluent Interfaces - DAAB Example
• ASP.NET 4 Search Engine Optimization ( SEO ) Features
• IIS Search Engine Optimization Toolkit and Violations
• ASP.NET 4 SqlServer SessionState Gets Compression and SessionState Proven Practices
• Sarasota Web Development Group - Teaching Web Development from Scratch
• Web Developer Tools in Apple Safari - Web Inspector