Home arrow ASP arrow Page 2 - Tips To Prevent Improper Use Of Your ASP Scripts
ASP

Tips To Prevent Improper Use Of Your ASP Scripts


As developers, we should always take steps to prevent the misuse of our scripts. In this article Wes gives us some handy tips to secure our ASP scripts.

Author Info:
By: Wes DeMoney
Rating: 5 stars5 stars5 stars5 stars5 stars / 22
October 07, 2002
TABLE OF CONTENTS:
  1. · Tips To Prevent Improper Use Of Your ASP Scripts
  2. · Request Method
  3. · Conclusion

print this article
SEARCH DEVARTICLES

Tips To Prevent Improper Use Of Your ASP Scripts - Request Method
(Page 2 of 3 )

I have seen many cases where programmers cut corners and use the generic Request() method to get their form data or query string data. This is not good for two reasons. One reason, not relating to security, is processing speed. The Request method contains ServerVariables, QueryString, Form, Cookies, and ClientCertificate. If you do not directly specify one, ASP will check ALL of them to see if the variable you are looking for exists.

The security concern here is that users will be able to use the plain old query string to pass form data. You may have a hidden form field that contains secret, script-generated data, and the user can now just pass whatever they want for that data through the query string. Your scripts probably won't even check this data to make sure it is legitimate because you think that your script passed it.

To prevent this problem, use the POST method to submit your forms and use Request.Form() to retrieve your data. If a user tries to access your script without submitting the form, the data returned will be empty:

Form Page

<form method="POST" action="processform.asp">
<input type="hidden" name="UID" value="<%=intUID%>">
New Email: <input type="text" name="Email">
<input type="submit">
</form>


Processform.asp

intUID = Request.Form("UID")
strNewEmail = Request.Form("Email")


Also, if a specific page is only meant to be access with form data posted to it, you can make sure that this is the case. To do this, check the HTTP header "REQUEST_METHOD". If it's a form POST, then the value should be "POST". Use Request.ServerVariables() to retrieve this header value:

If Request.ServerVariables("REQUEST_METHOD") <> "POST" Then
Response.End
End If


The code above checks to see if the "REQUEST_METHOD" isn't "POST" and if it isn't, then the script terminates with Response.End.

Check Referer
Note that referer is spelt wrong in terms of the dictionary, but seeing as how it is misspelled in the HTTP protocol, which we are using, I will use the misspelled version. Checking the referer is good for pages that accept query string data and form data. Your scripts can check the referer data to make sure that it matches the domain of your site. When taking query string data, you can prevent users from typing in the URL to pass different data, or other sites from making links to pass different data. When taking form data, you can make sure that the form was submitted from your site, not a form someone put on their own web site.

HTTP_REFERER is another HTTP header, just like REQUEST_METHOD, and it can be accessed in the same way. The value returned will either be a full URL, if coming from a link or form post, or nothing, if the user typed in the URL directly.

I wrote the nifty function below that will check the referer and return True if the referer matches the domain the script is on, or False if it doesn't, or if there is no referer at all:

Public Function CheckReferer()

On Error Resume Next
Dim strHost, strReferer, blnCheckReferer
strHost = Request.ServerVariables("HTTP_HOST")
strReferer = Request.ServerVariables("HTTP_REFERER")
strReferer = Right(strReferer, Len(strReferer) - (InStr(1, strReferer, "://") + 2))
strReferer = Left(strReferer, InStr(1, strReferer, "/") - 1)

If strReferer = strHost Then
blnCheckReferer = True
Else
blnCheckReferer = False
End If

CheckReferer = blnCheckReferer

End Function


Validate Data
You need to validate all of the data that has been input by a user, to avoid SQL injection attacks. This seems like a simple idea, but it is where most of your malicious attacks can occur. Make sure data that is supposed to be numeric truly is, and that strings don't contain weird (read: any non alphanumeric) characters. To validate number variables, make sure that they contain a value, that the value is numeric, and if the number is a database ID that it isn't less than 0. If it doesn't meet these conditions, set it as 0 to prevent any problems.

If intID = "" OR IsNumeric(intID) = False OR intID < 0 Then
intID = 0
End If


To validate strings, make sure they don't contain specific program statements. If your string will be a filename, make sure that the user doesn't pass path data, such as slashes and dots (ex: "../"), or extensions like "exe". If your string will be executed as a database query, then check that it doesn't contain "--", ";", and possibly the SQL commands like "SELECT", "INSERT"</CODE"UPDATE", "DELETE", or anything others.

Also, be sure to escape all single quotes by changing them to two single quotes (''). When retrieved, the two single quotes will be escaped and returned as one.

Finally, for any data that will be retrieved and displayed on a webpage, make sure you HTMLEncode it so that the user can't insert any HTML tags into your site.

strData = Replace(strData, "../", "")
strData = Replace(strData, "--", "")
strData = Replace(strData, ";", "")
strData = Replace(strData, "'", "''")
strData = Server.HTMLEncode(strData)

blog comments powered by Disqus
ASP ARTICLES

- Central Scoreboard with Flash and ASP
- Calorie Counter Using WAP and ASP
- Creating PGP-Encrypted E-Mails Using ASP
- Be My Guest in ASP
- Session Replacement in ASP
- Securing ASP Data Access Credentials Using t...
- The Not So Ordinary Address Book
- Adding and Displaying Data Easily via ASP an...
- Sending Email From a Form in ASP
- Adding Member Services in ASP
- Removing Unconfirmed Members
- Trapping HTTP 500.100 - Internal Server Error
- So Many Rows, So Little Time! - Case Study
- XDO: An XML Engine Class for Classic ASP
- Credit Card Fraud Prevention Using ASP and C...

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2017 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials