Tips To Prevent Improper Use Of Your ASP Scripts - Request Method (Page 2 of 3 )
I have seen many cases where programmers cut corners and use the generic Request() method to get their form data or query string data. This is not good for two reasons. One reason, not relating to security, is processing speed. The Request method contains ServerVariables, QueryString, Form, Cookies, and ClientCertificate. If you do not directly specify one, ASP will check ALL of them to see if the variable you are looking for exists.
The security concern here is that users will be able to use the plain old query string to pass form data. You may have a hidden form field that contains secret, script-generated data, and the user can now just pass whatever they want for that data through the query string. Your scripts probably won't even check this data to make sure it is legitimate because you think that your script passed it.
To prevent this problem, use the POST method to submit your forms and use Request.Form() to retrieve your data. If a user tries to access your script without submitting the form, the data returned will be empty:
Also, if a specific page is only meant to be access with form data posted to it, you can make sure that this is the case. To do this, check the HTTP header "REQUEST_METHOD". If it's a form POST, then the value should be "POST". Use Request.ServerVariables() to retrieve this header value:
If Request.ServerVariables("REQUEST_METHOD") <> "POST" Then Response.End End If
The code above checks to see if the "REQUEST_METHOD" isn't "POST" and if it isn't, then the script terminates with Response.End.
Check Referer Note that referer is spelt wrong in terms of the dictionary, but seeing as how it is misspelled in the HTTP protocol, which we are using, I will use the misspelled version. Checking the referer is good for pages that accept query string data and form data. Your scripts can check the referer data to make sure that it matches the domain of your site. When taking query string data, you can prevent users from typing in the URL to pass different data, or other sites from making links to pass different data. When taking form data, you can make sure that the form was submitted from your site, not a form someone put on their own web site.
HTTP_REFERER is another HTTP header, just like REQUEST_METHOD, and it can be accessed in the same way. The value returned will either be a full URL, if coming from a link or form post, or nothing, if the user typed in the URL directly.
I wrote the nifty function below that will check the referer and return True if the referer matches the domain the script is on, or False if it doesn't, or if there is no referer at all:
If strReferer = strHost Then blnCheckReferer = True Else blnCheckReferer = False End If
CheckReferer = blnCheckReferer
Validate Data You need to validate all of the data that has been input by a user, to avoid SQL injection attacks. This seems like a simple idea, but it is where most of your malicious attacks can occur. Make sure data that is supposed to be numeric truly is, and that strings don't contain weird (read: any non alphanumeric) characters. To validate number variables, make sure that they contain a value, that the value is numeric, and if the number is a database ID that it isn't less than 0. If it doesn't meet these conditions, set it as 0 to prevent any problems.
If intID = "" OR IsNumeric(intID) = False OR intID < 0 Then intID = 0 End If
To validate strings, make sure they don't contain specific program statements. If your string will be a filename, make sure that the user doesn't pass path data, such as slashes and dots (ex: "../"), or extensions like "exe". If your string will be executed as a database query, then check that it doesn't contain "--", ";", and possibly the SQL commands like "SELECT", "INSERT"</CODE"UPDATE", "DELETE", or anything others.
Also, be sure to escape all single quotes by changing them to two single quotes (''). When retrieved, the two single quotes will be escaped and returned as one.
Finally, for any data that will be retrieved and displayed on a webpage, make sure you HTMLEncode it so that the user can't insert any HTML tags into your site.