locked
Re: Microsoft ® Source Code Analyzer for SQL Injection – June 2008 CTP, Stack Overflow RRS feed

  • Question

  • When I try to run the source code analyzer for SQL injection on my website, I get the following error:


    Process is terminated due to StackOverflowException.



    I guess my site is just too big for this tool (oh, it takes several minutes before the error appears).


    I'm starting the tool with this command line:

    msscasi_asp.exe /input="H:\wwwroot\stage_2_11_2\index.asp"  /IncludePaths="h:\wwwroot\stage_virtual\edt_virtual\config;h:\wwwroot\stage_2_11_2"


    Help?

    --Owen

    Wednesday, June 25, 2008 6:43 PM

Answers

  • Our parser is different from web server's parser. We are trying to mimic the behavior of IIS and is still a work in progress.

     

    Thanks,

    Bala Neerumalla.

     

     

     

    Friday, June 27, 2008 8:47 PM
  • Hi Owen,

        It means that the tool hasn't found any vulnerabilities in that particular ASP page.

     

    Thanks,

    Bala Neerumalla.

     

    Tuesday, July 1, 2008 7:22 PM

All replies

  • This could be due to a bug in the ASP parser (We developed a new ASP parser as part of this effort, and it is not perfect).

     

    The only case where I have personally observed a stack overflow exception, is if the code contains a cyclic include path, e.g. A includes B includes C includes A.

     

    Thanks

    Avi

     

    This posting is provided "AS IS" with no warranties, and confers no rights.

     

    Wednesday, June 25, 2008 10:37 PM
  •  

    Hmmm. Could be, but wouldn't that make the webserver (IIS 6) crash as well?

     

    Our site is a one-page site and is quite large (lots of server-side includes).

    Friday, June 27, 2008 4:52 PM
  • Our parser is different from web server's parser. We are trying to mimic the behavior of IIS and is still a work in progress.

     

    Thanks,

    Bala Neerumalla.

     

     

     

    Friday, June 27, 2008 8:47 PM
  • Ahh. Ok. Right.

    Tuesday, July 1, 2008 7:19 PM
  • What does it mean if I run the Source Code Analyzer and there is no output (other than the header info)?

     

    Tuesday, July 1, 2008 7:21 PM
  • Hi Owen,

        It means that the tool hasn't found any vulnerabilities in that particular ASP page.

     

    Thanks,

    Bala Neerumalla.

     

    Tuesday, July 1, 2008 7:22 PM
  •  

    Hi Owen,

        We have released an updated version of the tool that has some ASP Parser fixes. Please look at http://blogs.msdn.com/sqlsecurity/archive/2008/07/12/microsoft-source-code-analyzer-for-sql-injection-july-2008-ctp.aspx for more details on this version and let us know if you encounter any problems.

     

    Thanks,

    Bala Neerumalla

    Saturday, July 12, 2008 12:57 AM