Getting started with Microsoft ® Source Code Analyzer for SQL Injection
Two days ago, we released Microsoft ® Source Code Analyzer for SQL Injection, June 2008 CTP which can analyze SQL injection vulnerabilities in Active Server Pages (ASP) code. In this blog, we will describe simple steps to help you start using the tool quickly.
1. Download the tool from https://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA. Msscasi_asp_pkg.exe is a self extracting binary that copies the tool binaries in a specified folder.
2. Please install Microsoft .NET Framework 3.0 before using the tool.
3. This is a command line utility, so launch a command window and go to the directory that contains the tool. The tool comes with six switches (documented in the readme file), you can just use the /Input=[fullpathtoaspfile] switch to analyze a particular ASP page. If you have ASP pages that include files from virtual directories then you need to use the /IncludePaths switch to provide absolute paths to the include files. Similarly if you have global.asa file, you can use the /GlobalAsaPath switch.
4. Reviewing the output messages
- If the tool finds any potential problems in an ASP page then it generates one of the six warnings: 80400, 80403, 80406, 80407, 80420 or 80421. The 80400 warnings indicate high-confidence first-order SQL Injection vulnerabilities and are most likely bugs that should be addressed immediately. Please read the documentation (readme.html) for more information on how to triage the other warnings.
- If you see no output then the tool has successfully analyzed the file and didn’t find any potential issues. If you believe the tool missed bug that it ought to find then please inform us in the SQL Security MSDN forum.
- We developed a new ASP parser as part of the tool development, so it is possible that we may not be able to parse all ASP constructs properly. Again, please report any issues in the SQL Security MSDN forum and we will try to address them in our next release.
- You might see some errors on “cannot find the file [virtualdir]\include.inc”. The tool cannot currently resolve virtual directories. Please use the /IncludePaths switch to provide absolute paths for the include files so that the tool can successfully analyze the ASP web pages.
5. Scanning the entire directory.
The tool analyzes one ASP file at a time. You can use the following VBScript code to process an entire folder containing ASP web pages.
ON ERROR RESUME NEXT
If WScript.Arguments.Count = 0 Then
WScript.Echo "Usage: " + WScript.ScriptName + " sourcedirectory"
WScript.Quit(0)
End If
ProcessFolder WScript.Arguments(0)
Sub ProcessFolder(ByVal folderspec)
Dim fso, f, f1, fc, s, sf
Dim strInputFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFolder(folderspec)
Set fc = f.Files
For Each f1 in fc
If StrComp(LCase(Mid (f1,Len(f1)-3,4)), ".asp") = 0 Then
strInputFile = f1.Path 'f.Path + "\" + f1
ASPScan (strInputFile)
End If
Next
Set sf = f.SubFolders
For Each f2 in sf
ProcessFolder f2.Path
Next
End Sub
Sub ASPScan (ByVal strInputFile)
ON ERROR RESUME NEXT
Err.Clear
Dim WshShell, oExec
Dim strCommand
Dim sTime, strBinary
GenerateSQLInjectionFile = true
Set WshShell = CreateObject("WScript.Shell")
strBinary = GetShortFolderName (GetScriptPath()) + "\" + GetShortFileName ("msscasi_asp.exe")
strCommand = "cmd.exe /c " + strBinary + " /input=""" + strInputFile + """ /Nologo >>" + GetShortFolderName (GetScriptPath()) + "\output.txt"
Set oExec = WshShell.Exec(strCommand)
sTime = Now
Do While (oExec.Status = 0)
WScript.Sleep 1000
Loop
Set oExec = Nothing
Set WshShell = Nothing
End Sub
Function GetScriptPath ()
Dim strPath
strPath = WScript.ScriptFullName
strPath = Mid (strPath, 1, InstrRev(strPath,"\")-1)
GetScriptPath = strPath
End Function
Function GetShortFolderName(ByVal filespec)
Dim fso, f, s
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFolder(filespec)
GetShortFolderName = f.ShortPath
End Function
Function GetShortFileName(ByVal filespec)
Dim fso, f, s
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filespec)
GetShortFileName = f.ShortName
End Function
Create a VBScript file (.vbs) with the above content, place it in the folder where the tool is located and execute the script providing absolute path of the folder containing ASP code. The script will generate the file output.txt with the concatenated tool output in the folder where the tool and script files are located. Please modify the script according to your needs, for example, if your ASP code uses virtual file includes or if you have a global.asa then you will need to pass /IncludePaths and /GlobalAsaPaths parameters to the tool in ASPScan function.
6. Annotating the code – Annotations are pretty simple. If you have any generic input validation routines, then annotating those functions with ' @@embed __sql_validate(paramname) within the function body will eliminate false positives with 80406, 80407 and 80421, remember to replace paramname with the function parameter that is being validated. Similarly if you have functions that are called from various places and have 80420 or 80421s warnings then annotating those functions with ' @@embed __sql_pre_validated(paramname) can give you accurate information on the vulnerable code paths.
7. Follow the code path – All the vulnerable code paths have the same characteristics: End User controlled data is used in the SQL statement construction. The information provided in the code path is verbose, but you can simply look at the line numbers to see if any user controlled data is executed as part of a SQL statement.
8. Fixing the issues – Using parameterized SQL is the best solution to mitigate SQL Injection issues. The Readme documentation contains sample code for parameterized queries. The above steps will help you use most of the capabilities of the tool, which are described further in the documentation.
We are interested to know what has worked for you and what has not. Please provide us feedback in the MSDN forum to help us improve the tool.
Thank You
This posting is provided "AS IS" with no warranties, and confers no rights.
Comments
- Anonymous
July 02, 2008
The comment has been removed