Share via


Microsoft ® Source Code Analyzer for SQL Injection – June 2008 CTP

Today Microsoft has released a Community Technology Preview of a new source code analyzer that can help ASP developers find SQL Injection vulnerabilities in their code.

 

Three weeks ago Microsoft released guidance (https://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx) on protecting ASP and ASP.NET web sites against SQL injection attacks. At the same time, Microsoft took an action item to develop new tools that could help web developers find these SQL injection vulnerabilities automatically. Microsoft Source Code Analyzer for SQL Injection is one of the tools developed as part of this effort. It is a static dataflow analysis tool to help find SQL Injection vulnerabilities in Active Server Pages (ASP) code. In particular, the tool attempts to find the vulnerabilities outlined in the guidance article “Preventing SQL Injections in ASP” (https://msdn.microsoft.com/en-us/library/cc676512.aspx) published three weeks ago.

 

The tool can be downloaded from https://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA. Please read the Readme.html file for the complete list of warnings generated by the tool along with code samples that will generate the warnings. The documentation also discusses warning mitigation.

 

Please provide feedback and discuss issues related to the tool in SQL Server Security forum at https://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&SiteID=1

 

Thanks,

The Microsoft Source Code Analyzer for SQL Injection Team

(Bala Neerumalla, Henning Rohde and Avi Gavlovski)

 

This posting is provided "AS IS" with no warranties, and confers no rights.

Comments

  • Anonymous
    June 24, 2008
    Bryan here. A couple of weeks ago, I posted a blog entry with links to SQL injection defense guidelines.
  • Anonymous
    June 24, 2008
    <p>This year SQL injection attacks are being stepped up and even automated against SQL Server. While SQL injection attacks can occur against any DBMS, my blog will only address SQL Server.</p ...
  • Anonymous
    June 25, 2008
    I will be getting back to the "Day in the Life of the DBA" series of posts, but I got this from the security
  • Anonymous
    June 25, 2008
    Tools per combattere le SQL Injections
  • Anonymous
    June 26, 2008
    If you're doing ASP.NET development then you need to check these tools out. As per this security bulletin
  • Anonymous
    June 28, 2008
    A differenza di altre tipologie di attacchi alle applicazioni il SQL Injection purtroppo è in costante
  • Anonymous
    July 08, 2015
    This tool is no longer supported.