June, 2008

Two days ago, we released Microsoft ® Source Code Analyzer for SQL Injection, June 2008 CTP which can analyze SQL injection vulnerabilities in Active Server Pages (ASP) code. In this blog, we will describe simple steps to help you start using the tool quickly.

1. Download the tool from http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA. Msscasi_asp_pkg.exe is a self extracting binary that copies the tool binaries in a specified folder.

2. Please install Microsoft .NET Framework 3.0 before using the tool.

3. This is a command line utility, so launch a command window and go to the directory that contains the tool. The tool comes with six switches (documented in the readme file), you can just use the /Input=[fullpathtoaspfile] switch to analyze a particular ASP page. If you have ASP pages that include files from virtual directories then you need to use the /IncludePaths switch to provide absolute paths to the include files. Similarly if you have global.asa file, you can use the /GlobalAsaPath switch.

4. Reviewing the output messages

• If the tool finds any potential problems in an ASP page then it generates one of the six warnings: 80400, 80403, 80406, 80407, 80420 or 80421. The 80400 warnings indicate high-confidence first-order  SQL Injection vulnerabilities and are most likely bugs that should be addressed immediately. Please read the documentation (readme.html) for more information on how to triage the other warnings.
• If you see no output then the tool has successfully analyzed the file and didn’t find any potential issues. If you believe the tool missed bug that it ought to find then please inform us in the SQL Security MSDN forum.
• We developed a new ASP parser as part of the tool development, so it is possible that we may not be able to parse all ASP constructs properly. Again, please report any issues in the SQL Security MSDN forum and we will try to address them in our next release.
• You might see some errors on “cannot find the file [virtualdir]\include.inc”. The tool cannot currently resolve virtual directories. Please use the /IncludePaths switch to provide absolute paths for the include files so that the tool can successfully analyze the ASP web pages.

5. Scanning the entire directory.

The tool analyzes one ASP file at a time. You can use the following VBScript code to process an entire folder containing ASP web pages.

ON ERROR RESUME NEXT

If WScript.Arguments.Count = 0 Then

   WScript.Echo "Usage: " + WScript.ScriptName + " sourcedirectory"

   WScript.Quit(0)

End If

ProcessFolder WScript.Arguments(0)

Sub ProcessFolder(ByVal folderspec)

   Dim fso, f, f1, fc, s, sf

   Dim strInputFile

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFolder(folderspec)

   Set fc = f.Files

   For Each f1 in fc

        If StrComp(LCase(Mid (f1,Len(f1)-3,4)), ".asp") = 0 Then

            strInputFile = f1.Path 'f.Path + "\" + f1

            ASPScan (strInputFile)

        End If

   Next

   Set sf = f.SubFolders

   For Each f2 in sf

          ProcessFolder f2.Path

   Next

End Sub

Sub ASPScan (ByVal strInputFile)

    ON ERROR RESUME NEXT

    Err.Clear

      Dim WshShell, oExec

      Dim strCommand

      Dim sTime, strBinary

      GenerateSQLInjectionFile = true

      Set WshShell = CreateObject("WScript.Shell")

    strBinary = GetShortFolderName (GetScriptPath()) + "\" + GetShortFileName ("msscasi_asp.exe")

    strCommand = "cmd.exe /c " + strBinary + " /input=""" + strInputFile + """ /Nologo >>" + GetShortFolderName (GetScriptPath()) + "\output.txt"

      Set oExec = WshShell.Exec(strCommand)

    sTime = Now  

      Do While (oExec.Status = 0)

             WScript.Sleep 1000

      Loop

      Set oExec = Nothing

      Set WshShell = Nothing

End Sub

Function GetScriptPath ()

    Dim strPath

    strPath = WScript.ScriptFullName

    strPath = Mid (strPath, 1, InstrRev(strPath,"\")-1)

    GetScriptPath = strPath

End Function

Function GetShortFolderName(ByVal filespec)

   Dim fso, f, s

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFolder(filespec)

   GetShortFolderName = f.ShortPath

End Function

Function GetShortFileName(ByVal filespec)

   Dim fso, f, s

   Set fso = CreateObject("Scripting.FileSystemObject")

   Set f = fso.GetFile(filespec)

   GetShortFileName = f.ShortName

End Function

Create a VBScript file (.vbs) with the above content, place it in the folder where the tool is located and execute the script providing absolute path of the folder containing ASP code. The script will generate the file output.txt with the concatenated tool output in the folder where the tool and script files are located. Please modify the script according to your needs, for example, if your ASP code uses virtual file includes or if you have a global.asa then you will need to pass /IncludePaths and /GlobalAsaPaths parameters to the tool in ASPScan function.

6. Annotating the code – Annotations are pretty simple. If you have any generic input validation routines, then annotating those functions with ' @@embed __sql_validate(paramname) within the function body will eliminate false positives with 80406, 80407 and 80421, remember to replace paramname with the function parameter that is being validated. Similarly if you have functions that are called from various places and have 80420 or 80421s warnings then annotating those functions with ' @@embed __sql_pre_validated(paramname) can give you accurate information on the vulnerable code paths.

7. Follow the code path – All the vulnerable code paths have the same characteristics: End User controlled data is used in the SQL statement construction. The information provided in the code path is verbose, but you can simply look at the line numbers to see if any user controlled data is executed as part of a SQL statement.

8. Fixing the issues – Using parameterized SQL is the best solution to mitigate SQL Injection issues. The Readme documentation contains sample code for parameterized queries. The above steps will help you use most of the capabilities of the tool, which are described further in the documentation.

We are interested to know what has worked for you and what has not. Please provide us feedback in the MSDN forum to help us improve the tool.

Thank You

This posting is provided "AS IS" with no warranties, and confers no rights.

Today Microsoft has released a Community Technology Preview of a new source code analyzer that can help ASP developers find SQL Injection vulnerabilities in their code.

Three weeks ago Microsoft released guidance (http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx) on protecting ASP and ASP.NET web sites against SQL injection attacks. At the same time, Microsoft took an action item to develop new tools that could help web developers find these SQL injection vulnerabilities automatically. Microsoft Source Code Analyzer for SQL Injection is one of the tools developed as part of this effort.  It is a static dataflow analysis tool to help find SQL Injection vulnerabilities in Active Server Pages (ASP) code. In particular, the tool attempts to find the vulnerabilities outlined in the guidance article “Preventing SQL Injections in ASP” (http://msdn.microsoft.com/en-us/library/cc676512.aspx) published three weeks ago.

The tool can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA. Please read the Readme.html file for the complete list of warnings generated by the tool along with code samples that will generate the warnings. The documentation also discusses warning mitigation.

Please provide feedback and discuss issues related to the tool in SQL Server Security forum at http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&SiteID=1

Thanks,

The Microsoft Source Code Analyzer for SQL Injection Team

(Bala Neerumalla, Henning Rohde and Avi Gavlovski)

This posting is provided "AS IS" with no warranties, and confers no rights.