Dedicated Servers
Moblin
JMSL Numerical Library

IBM® developerWorks
Sun Developer Network
Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

ASP

RSS

Tips To Prevent Improper Use Of Your ASP Scripts

By: Wes DeMoney	Search For More Articles! Disclaimer Author Terms
Rating: / 3
2002-10-07

Table of Contents:

Tips To Prevent Improper Use Of Your ASP Scripts

Request Method

Conclusion

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

Tips To Prevent Improper Use Of Your ASP Scripts - Request Method

(Page 2 of 3 )

I have seen many cases where programmers cut corners and use the generic Request() method to get their form data or query string data. This is not good for two reasons. One reason, not relating to security, is processing speed. The Request method contains ServerVariables, QueryString, Form, Cookies, and ClientCertificate. If you do not directly specify one, ASP will check ALL of them to see if the variable you are looking for exists.

The security concern here is that users will be able to use the plain old query string to pass form data. You may have a hidden form field that contains secret, script-generated data, and the user can now just pass whatever they want for that data through the query string. Your scripts probably won't even check this data to make sure it is legitimate because you think that your script passed it.

To prevent this problem, use the POST method to submit your forms and use Request.Form() to retrieve your data. If a user tries to access your script without submitting the form, the data returned will be empty:

Form Page

<form method="POST" action="processform.asp">
<input type="hidden" name="UID" value="<%=intUID%>">
New Email: <input type="text" name="Email">
<input type="submit">
</form>

Processform.asp

intUID = Request.Form("UID")
strNewEmail = Request.Form("Email")

Also, if a specific page is only meant to be access with form data posted to it, you can make sure that this is the case. To do this, check the HTTP header "REQUEST_METHOD". If it's a form POST, then the value should be "POST". Use Request.ServerVariables() to retrieve this header value:

If Request.ServerVariables("REQUEST_METHOD") <> "POST" Then
Response.End
End If

The code above checks to see if the "REQUEST_METHOD" isn't "POST" and if it isn't, then the script terminates with Response.End.

Check Referer
Note that referer is spelt wrong in terms of the dictionary, but seeing as how it is misspelled in the HTTP protocol, which we are using, I will use the misspelled version. Checking the referer is good for pages that accept query string data and form data. Your scripts can check the referer data to make sure that it matches the domain of your site. When taking query string data, you can prevent users from typing in the URL to pass different data, or other sites from making links to pass different data. When taking form data, you can make sure that the form was submitted from your site, not a form someone put on their own web site.

HTTP_REFERER is another HTTP header, just like REQUEST_METHOD, and it can be accessed in the same way. The value returned will either be a full URL, if coming from a link or form post, or nothing, if the user typed in the URL directly.

I wrote the nifty function below that will check the referer and return True if the referer matches the domain the script is on, or False if it doesn't, or if there is no referer at all:

Public Function CheckReferer()

On Error Resume Next
Dim strHost, strReferer, blnCheckReferer
strHost = Request.ServerVariables("HTTP_HOST")
strReferer = Request.ServerVariables("HTTP_REFERER")
strReferer = Right(strReferer, Len(strReferer) - (InStr(1, strReferer, "://") + 2))
strReferer = Left(strReferer, InStr(1, strReferer, "/") - 1)

If strReferer = strHost Then
blnCheckReferer = True
Else
blnCheckReferer = False
End If

CheckReferer = blnCheckReferer

End Function

Validate Data
You need to validate all of the data that has been input by a user, to avoid SQL injection attacks. This seems like a simple idea, but it is where most of your malicious attacks can occur. Make sure data that is supposed to be numeric truly is, and that strings don't contain weird (read: any non alphanumeric) characters. To validate number variables, make sure that they contain a value, that the value is numeric, and if the number is a database ID that it isn't less than 0. If it doesn't meet these conditions, set it as 0 to prevent any problems.

If intID = "" OR IsNumeric(intID) = False OR intID < 0 Then
intID = 0
End If

To validate strings, make sure they don't contain specific program statements. If your string will be a filename, make sure that the user doesn't pass path data, such as slashes and dots (ex: "../"), or extensions like "exe". If your string will be executed as a database query, then check that it doesn't contain "--", ";", and possibly the SQL commands like "SELECT", "INSERT"</CODE"UPDATE", "DELETE", or anything others.

Also, be sure to escape all single quotes by changing them to two single quotes (''). When retrieved, the two single quotes will be escaped and returned as one.

Finally, for any data that will be retrieved and displayed on a webpage, make sure you HTMLEncode it so that the user can't insert any HTML tags into your site.

strData = Replace(strData, "../", "")
strData = Replace(strData, "--", "")
strData = Replace(strData, ";", "")
strData = Replace(strData, "'", "''")
strData = Server.HTMLEncode(strData)

Next: Conclusion >>