tags:

views:

281

answers:

2
+1  Q: 

ASP.NET / C# Equivalent of Microsoft Source Code Analyzer for SQL Injection (MSSCASI_ASP)?

Microsoft Source Code Analyzer for SQL Injection (MSSCASI_ASP) is a static code analyzer for classic ASP VBScript code that can help identify pages that might have a sql injection vulnerability.

That tool seems to only support vbscript ("The tool understands only ASP code that is written in VBScript"), and I think it only supports Classic ASP even for VBscript. I'm wondering if there is a tool with a similar approach capable of working with ASP.NET code, especially C# ASP.NET code.

A: 

I don't think there's a .NET version of that tool. If you are using parameters (which you should do most of the time,) you are not vulnerable to most of the SQL injection attacks.

Mehrdad Afshari  2009-08-05 21:51:33
Using sql parameters is definitely one of our coding guidelines. I can't be sure that we've actually used them in all cases, though. I was hoping an automated sweep could increase my confidence that we have used them in all cases, and/or help find the (hopefully) few places where we don't. If I had all the time in the world, I might do a manual security audit of all the code that touches the database. In practice, though, it seems unlikely I'll find time for that.
Chris  2009-08-05 23:04:57
+2  A: 

You could take a look at the Microsoft Code Analysis Tool for .Net (CAT.NET) You can find a download here http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en

Also it's discussed on the Microsoft Security Tools Blog

Cheshire Cat  2009-08-05 22:00:40

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?