http://blogs.msdn.com/sqlsecurity/archive/tags/SQL+Injection+ASP/default.aspxTags: SQL Injection ASPen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/sqlsecurity/archive/2008/07/12/microsoft-source-code-analyzer-for-sql-injection-july-2008-ctp.aspxSat, 12 Jul 2008 03:41:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:8722265balnee1http://blogs.msdn.com/sqlsecurity/comments/8722265.aspxhttp://blogs.msdn.com/sqlsecurity/commentrss.aspx?PostID=8722265<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Today we have released an updated Community Technology Preview of Microsoft Source Code Analyzer for SQL Injection. <SPAN style="mso-spacerun: yes">&nbsp;</SPAN><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3></FONT></o:p>&nbsp;</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>We made the following improvements based on community feedback:<o:p></o:p></FONT></FONT></P> <OL style="MARGIN-TOP: 0in" type=1> <LI class=MsoNormal style="MARGIN: 0in 0in 0pt; mso-list: l0 level1 lfo1"><FONT size=3><FONT face=Calibri>Included a GUI to view warnings generated by the tool.</FONT></FONT></LI> <LI class=MsoNormal style="MARGIN: 0in 0in 0pt; mso-list: l0 level1 lfo1"><FONT size=3><FONT face=Calibri>Downgraded the requirements to Microsoft .NET Framework 2.0 from 3.0.</FONT></FONT></LI> <LI class=MsoNormal style="MARGIN: 0in 0in 0pt; mso-list: l0 level1 lfo1"><FONT size=3><FONT face=Calibri>Improved the ASP parser and analysis engine in various ways.<o:p></o:p></FONT></FONT></LI></OL> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT face=Calibri size=3>The updated tool can be downloaded from </FONT><A href="http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA" mce_href="http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA"><FONT face=Calibri size=3>http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA</FONT></A><FONT size=3><FONT face=Calibri>. Please read the Readme.html file for the complete list of warnings generated by the tool along with code samples that will generate the warnings. <o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT face=Calibri size=3>Please provide feedback and discuss issues related to the tool in the SQL Server Security forum at </FONT><A href="http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&amp;SiteID=1" mce_href="http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&amp;SiteID=1"><FONT face=Calibri size=3>http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&amp;SiteID=1</FONT></A><FONT size=3><FONT face=Calibri> <o:p></o:p></FONT></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT face=Calibri>Thanks,<o:p></o:p></FONT></FONT></P><SPAN style="FONT-SIZE: 11pt; LINE-HEIGHT: 115%; FONT-FAMILY: 'Calibri','sans-serif'; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: Calibri; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">The Microsoft Source Code Analyzer for SQL Injection Team</SPAN><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8722265" width="1" height="1">SQL Injection ASPhttp://blogs.msdn.com/sqlsecurity/archive/2008/06/24/microsoft-source-code-analyzer-for-sql-injection-june-2008-ctp.aspxTue, 24 Jun 2008 19:43:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:8647883balnee6http://blogs.msdn.com/sqlsecurity/comments/8647883.aspxhttp://blogs.msdn.com/sqlsecurity/commentrss.aspx?PostID=8647883<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT face=Calibri size=3>Today Microsoft has released a Community Technology Preview of a new source code analyzer that can help ASP developers find SQL Injection vulnerabilities in their code. </FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT face=Calibri size=3>Three weeks ago Microsoft released guidance (<A href="http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx">http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx</A>)&nbsp;on protecting ASP and ASP.NET web sites against SQL injection attacks. At the same time, Microsoft took an action item to develop new tools that could help web developers find these SQL injection vulnerabilities automatically. Microsoft Source Code Analyzer for SQL Injection is one of the tools developed as part of this effort.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>It is a static dataflow analysis tool to help find SQL Injection vulnerabilities in Active Server Pages (ASP) code. In particular, the tool attempts to find the vulnerabilities outlined in the guidance article “Preventing SQL Injections in ASP” (</FONT><A href="http://msdn.microsoft.com/en-us/library/cc676512.aspx" mce_href="http://msdn.microsoft.com/en-us/library/cc676512.aspx"><FONT face=Calibri size=3>http://msdn.microsoft.com/en-us/library/cc676512.aspx</FONT></A><FONT face=Calibri size=3>) published three weeks ago. </FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT face=Calibri size=3>The tool can be downloaded from </FONT><A href="http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA" mce_href="http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA"><FONT face=Calibri size=3>http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA</FONT></A><FONT face=Calibri size=3>. Please read the Readme.html file for the complete list of warnings generated by the tool along with code samples that will generate the warnings. The documentation also discusses warning mitigation.</FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p><FONT face=Calibri size=3>&nbsp;</FONT></o:p></P> <P><SPAN style="FONT-SIZE: 11pt; LINE-HEIGHT: 115%; FONT-FAMILY: 'Calibri','sans-serif'; mso-fareast-font-family: Calibri; mso-bidi-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Please provide feedback and discuss issues related to the tool in SQL Server Security forum at <A href="http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&amp;SiteID=1" mce_href="http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&amp;SiteID=1">http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&amp;SiteID=1</A> </SPAN></P> <P><SPAN style="FONT-SIZE: 11pt; LINE-HEIGHT: 115%; FONT-FAMILY: 'Calibri','sans-serif'; mso-fareast-font-family: Calibri; mso-bidi-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">&nbsp;</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Thanks,</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">The Microsoft Source Code Analyzer for SQL Injection Team</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">(Bala Neerumalla, Henning Rohde and Avi Gavlovski)</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P><SPAN style="FONT-SIZE: 11pt; LINE-HEIGHT: 115%; FONT-FAMILY: 'Calibri','sans-serif'; mso-fareast-font-family: Calibri; mso-bidi-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">This posting is provided "AS IS" with no warranties, and confers no rights.</SPAN></SPAN></P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8647883" width="1" height="1">SQL Injection ASP