ASP
  Home arrow ASP arrow Page 2 - Tips To Prevent Improper Use Of Your ASP S...
Dev Articles Forums 
ADO.NET  
Apache  
ASP  
ASP.NET  
C#  
C++  
ColdFusion  
COM/COM+  
Delphi-Kylix  
Design Usability  
Development Cycles  
DHTML  
Embedded Tools  
Flash  
Graphic Design  
HTML  
IIS  
Interviews  
Java  
JavaScript  
MySQL  
Oracle  
Photoshop  
PHP  
Reviews  
Ruby-on-Rails  
SQL  
SQL Server  
Style Sheets  
VB.Net  
Visual Basic  
Web Authoring  
Web Services  
Web Standards  
XML  
Mobile Linux 
App Generation ROI 
IBM® developerWorks 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us Get Paid 
Request Media Kit
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
ASP

Tips To Prevent Improper Use Of Your ASP Scripts
By: Wes DeMoney
  • Search For More Articles!
  • Disclaimer
  • Author Terms
    		•
    Rating: 4 stars4 stars4 stars4 stars4 stars / 3
    2002-10-07

    Table of Contents:
  • Tips To Prevent Improper Use Of Your ASP Scripts
  • Request Method
  • Conclusion
    		•

    Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
    		 
     
    ADVERTISEMENT

    Tips To Prevent Improper Use Of Your ASP Scripts - Request Method
    (Page 2 of 3 )

    I have seen many cases where programmers cut corners and use the generic Request() method to get their form data or query string data. This is not good for two reasons. One reason, not relating to security, is processing speed. The Request method contains ServerVariables, QueryString, Form, Cookies, and ClientCertificate. If you do not directly specify one, ASP will check ALL of them to see if the variable you are looking for exists.

    The security concern here is that users will be able to use the plain old query string to pass form data. You may have a hidden form field that contains secret, script-generated data, and the user can now just pass whatever they want for that data through the query string. Your scripts probably won't even check this data to make sure it is legitimate because you think that your script passed it.

    To prevent this problem, use the POST method to submit your forms and use Request.Form() to retrieve your data. If a user tries to access your script without submitting the form, the data returned will be empty:

    Form Page

    <form method="POST" action="processform.asp">
    <input type="hidden" name="UID" value="<%=intUID%>">
    New Email: <input type="text" name="Email">
    <input type="submit">
    </form>

    Processform.asp

    intUID = Request.Form("UID")
    strNewEmail = Request.Form("Email")

    Also, if a specific page is only meant to be access with form data posted to it, you can make sure that this is the case. To do this, check the HTTP header "REQUEST_METHOD". If it's a form POST, then the value should be "POST". Use Request.ServerVariables() to retrieve this header value:

    If Request.ServerVariables("REQUEST_METHOD") <> "POST" Then
    Response.End
    End If

    The code above checks to see if the "REQUEST_METHOD" isn't "POST" and if it isn't, then the script terminates with Response.End.

    Check Referer
    Note that referer is spelt wrong in terms of the dictionary, but seeing as how it is misspelled in the HTTP protocol, which we are using, I will use the misspelled version. Checking the referer is good for pages that accept query string data and form data. Your scripts can check the referer data to make sure that it matches the domain of your site. When taking query string data, you can prevent users from typing in the URL to pass different data, or other sites from making links to pass different data. When taking form data, you can make sure that the form was submitted from your site, not a form someone put on their own web site.

    HTTP_REFERER is another HTTP header, just like REQUEST_METHOD, and it can be accessed in the same way. The value returned will either be a full URL, if coming from a link or form post, or nothing, if the user typed in the URL directly.

    I wrote the nifty function below that will check the referer and return True if the referer matches the domain the script is on, or False if it doesn't, or if there is no referer at all:

    Public Function CheckReferer()

    On Error Resume Next
    Dim strHost, strReferer, blnCheckReferer
    strHost = Request.ServerVariables("HTTP_HOST")
    strReferer = Request.ServerVariables("HTTP_REFERER")
    strReferer = Right(strReferer, Len(strReferer) - (InStr(1, strReferer, "://") + 2))
    strReferer = Left(strReferer, InStr(1, strReferer, "/") - 1)

    If strReferer = strHost Then
    blnCheckReferer = True
    Else
    blnCheckReferer = False
    End If

    CheckReferer = blnCheckReferer

    End Function

    Validate Data
    You need to validate all of the data that has been input by a user, to avoid SQL injection attacks. This seems like a simple idea, but it is where most of your malicious attacks can occur. Make sure data that is supposed to be numeric truly is, and that strings don't contain weird (read: any non alphanumeric) characters. To validate number variables, make sure that they contain a value, that the value is numeric, and if the number is a database ID that it isn't less than 0. If it doesn't meet these conditions, set it as 0 to prevent any problems.

    If intID = "" OR IsNumeric(intID) = False OR intID < 0 Then
    intID = 0
    End If

    To validate strings, make sure they don't contain specific program statements. If your string will be a filename, make sure that the user doesn't pass path data, such as slashes and dots (ex: "../"), or extensions like "exe". If your string will be executed as a database query, then check that it doesn't contain "--", ";", and possibly the SQL commands like "SELECT", "INSERT"</CODE"UPDATE", "DELETE", or anything others.

    Also, be sure to escape all single quotes by changing them to two single quotes (''). When retrieved, the two single quotes will be escaped and returned as one.

    Finally, for any data that will be retrieved and displayed on a webpage, make sure you HTMLEncode it so that the user can't insert any HTML tags into your site.

    strData = Replace(strData, "../", "")
    strData = Replace(strData, "--", "")
    strData = Replace(strData, ";", "")
    strData = Replace(strData, "'", "''")
    strData = Server.HTMLEncode(strData)

    Next: Conclusion >>
     

    More ASP Articles
    More By Wes DeMoney


     
    >>> Be the FIRST to comment on this article!

    ASP ARTICLES

    - Central Scoreboard with Flash and ASP
    - Calorie Counter Using WAP and ASP
    - Creating PGP-Encrypted E-Mails Using ASP
    - Be My Guest in ASP
    - Session Replacement in ASP
    - Securing ASP Data Access Credentials Using t...
    - The Not So Ordinary Address Book
    - Adding and Displaying Data Easily via ASP an...
    - Sending Email From a Form in ASP
    - Adding Member Services in ASP
    - Removing Unconfirmed Members
    - Trapping HTTP 500.100 - Internal Server Error
    - So Many Rows, So Little Time! - Case Study
    - XDO: An XML Engine Class for Classic ASP
    - Credit Card Fraud Prevention Using ASP and C...
    Find More ASP Articles






    © 2003-2009 by Developer Shed. All rights reserved. DS Cluster 3 Hosted by Hostway
    For more Enterprise Application Development news, visit eWeek