Classic ASP SQL Injection vulnerability analyser

Fri, 24 Oct 2008 08:50:00 +0000

If, like me, you have a whole bunch of legacy sites written by someone else long before you joined the company all code bases of varying quality, then you may find this tool useful. I read an article on the register a while ago about a command line tool Microsoft have put together which analyses Classic ASP code, and looks for vulnerabilities that leave your pages open to SQL injection attack.

Incase you are unfamiliar, there is a good article up on securitydocs.com exaplaining what a sql injection attack is and giving some practical examples on how they work and how easily they can be executed.

It seems to do this by looking at how your code deals with input accepted from the Request.Form and Request.Querystring and making sure it goes through some kind of filtering. Anyway- have a butchers at the tool yourself. The article title is "The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code" and the applications name is "msscasi_asp.exe"- i only mention this as Microsoft seem to frequently reshuffle their pages breaking loads of links so you may some to this article and find just a 404 so this will allow you to do a site search!

The article also makes a mention of a similar tool created by HP called scrawlr which is available here

Shawson's Code Blog » Classic ASP

Classic ASP SQL Injection vulnerability analyser