Today Microsoft has released a Community Technology Preview of a new source code analyzer that can help ASP developers find SQL Injection vulnerabilities in their code.
Three weeks ago Microsoft released guidance (http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx) on protecting ASP and ASP.NET web sites against SQL injection attacks. At the same time, Microsoft took an action item to develop new tools that could help web developers find these SQL injection vulnerabilities automatically. Microsoft Source Code Analyzer for SQL Injection is one of the tools developed as part of this effort. It is a static dataflow analysis tool to help find SQL Injection vulnerabilities in Active Server Pages (ASP) code. In particular, the tool attempts to find the vulnerabilities outlined in the guidance article “Preventing SQL Injections in ASP” (http://msdn.microsoft.com/en-us/library/cc676512.aspx) published three weeks ago.
The tool can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA. Please read the Readme.html file for the complete list of warnings generated by the tool along with code samples that will generate the warnings. The documentation also discusses warning mitigation.
Please provide feedback and discuss issues related to the tool in SQL Server Security forum at http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&SiteID=1
The Microsoft Source Code Analyzer for SQL Injection Team
(Bala Neerumalla, Henning Rohde and Avi Gavlovski)
This posting is provided “AS IS” with no warranties, and confers no rights.