Today Microsoft has released a Community Technology Preview of a new source code analyzer that can help ASP developers find SQL Injection vulnerabilities in their code.
Three weeks ago Microsoft released guidance (http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx) on protecting ASP and ASP.NET web sites against SQL injection attacks. At the same time, Microsoft took an action item to develop new tools that could help web developers find these SQL injection vulnerabilities automatically. Microsoft Source Code Analyzer for SQL Injection is one of the tools developed as part of this effort. It is a static dataflow analysis tool to help find SQL Injection vulnerabilities in Active Server Pages (ASP) code. In particular, the tool attempts to find the vulnerabilities outlined in the guidance article “Preventing SQL Injections in ASP” (http://msdn.microsoft.com/en-us/library/cc676512.aspx) published three weeks ago.
The tool can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA. Please read the Readme.html file for the complete list of warnings generated by the tool along with code samples that will generate the warnings. The documentation also discusses warning mitigation.
Please provide feedback and discuss issues related to the tool in SQL Server Security forum at http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&SiteID=1
The Microsoft Source Code Analyzer for SQL Injection Team
(Bala Neerumalla, Henning Rohde and Avi Gavlovski)
This posting is provided "AS IS" with no warranties, and confers no rights.
Bryan here. A couple of weeks ago, I posted a blog entry with links to SQL injection defense guidelines.
<p>This year SQL injection attacks are being stepped up and even automated against SQL Server. While SQL injection attacks can occur against any DBMS, my blog will only address SQL Server.</p ...
I will be getting back to the "Day in the Life of the DBA" series of posts, but I got this from the security
Tools per combattere le SQL Injections
If you're doing ASP.NET development then you need to check these tools out. As per this security bulletin
A differenza di altre tipologie di attacchi alle applicazioni il SQL Injection purtroppo è in costante