Question

ASP Request got encrypted by itself? Server Side, End User or what is the exact cause?

Asked by: ryancys

Hi,

Recently my client claims that the customer feedback they received are displaying unreadable text (see below).

My question is: What are the possibilities that caused this?

* This only happens randomly maybe once or twice daily
* The text "encrypted" are all from textfields (named like a series of f_val_1, f_val_2, ... )
* I did the test from my end, even with some foreign characters, but no problem at all

Scripts are like this:

<%
      Server.ScriptTimeout = 600
      
      response.expires = 0
      response.expiresabsolute = Now() - 1
      response.addHeader "pragma","no-cache"
      response.addHeader "cache-control","private"
      Response.CacheControl = "no-cache"
      
      Response.AddHeader "Content-Type","text/html;charset=UTF-8"
      Response.CodePage = 65001
      Session.CodePage = 65001
      Response.CharSet = "utf-8"

....

if Request.form <> "" then
                        cnt = 1
                        for i = 1 to 100
                              f = "f_fld_" & cnt
                              if request.form(f) <> "" then
                                    EmailBody = EmailBody & "<strong>" & request.form(f) & "</strong>: " & request.form("f_val_" & cnt) & "<br><br>"
                                    cnt = cnt + 1
                              end if
                        next
                  end if

...
%>

Any ideas? Thanks!

Name : glazqeKkZh
 
Contact Number : dzNbtPVcuARtumocAb
 
Country : Singapore
 
Email Address : gzcnZBsHtyLHAWNVkJt
 
What do you think about our website : Excellent
 
Comments and / or Suggestions : JDZIKE   lcyntnwjyfui , [url=http://jbdhsedepmoz.com/]jbdhsedepmoz[/url], [link=http://irvoeaggrago.com/]irvoeaggrago[/link], http://drngvelvudlx.com/

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-03-25 at 20:11:36ID24266007
Tags

ASP Request Unreadable Encrypted

Topics

Active Server Pages (ASP)

,

Anti-Virus

,

Web Browsers

Participating Experts
2
Points
500
Comments
14

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Request.form
    Does anyone know a quick and simple way of putting everything in Request.form into an array? I'm looking at passing it as a string, then parsing it into an array. I wrote a component that I pass Request.Form into, which I pass as an object, however, our Network structure wo...
  2. Request.Form()
    Hi, Suppose we poste a value in a form of page1. We then get the value with Request.Form() in page2. My question is that can we get the value by Request.Form() in page3 ?
  3. Encryption for ASP and .Net
    I am trying to store information (passwords) in a database that will be accessed by Classic ASP and ASP.Net applications. Does anyone have an example encryption and decryption method that works in Classic ASP and .Net?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: sybePosted on 2009-03-25 at 23:35:06ID: 23987776

Are you sure that this is not what the user entered? Maybe a bot is entering random strings in the form field. Especially because it seems that the dropdown-values are not messy: "Country : Singapore" and "What do you think about our website : Excellent" seems to go without any trouble. (At least I think that these values come from dropdowns).

It does not look like any encryption I know.  It is more like a randomly generated string with only alphabetical characters.

 

by: warturtlePosted on 2009-03-26 at 02:47:56ID: 23988516

Yes, I would agree with sybe as well. It seems someone has figured out what your script is called and has programmed to submit random characters to your script. Try putting one of those randomly-generated pictures for the user to enter which is like a picture but has text within. I cannot think of the specific name right now, but every time a user tries to submit something they see a random image with text written in it and they have to copy that into the textbox below. If they don't do it properly, their request would not be submitted. This way, you would be safe from the experimenters.

 

by: warturtlePosted on 2009-03-26 at 02:48:57ID: 23988522

Got it... anti-spam image... like this: http://www.theblog.ca/random-anti-spam

 

by: ryancysPosted on 2009-03-26 at 02:56:52ID: 23988566

>>Try putting one of those randomly-generated pictures for the user to enter which is like a picture but has text within

Yes, we actually have that, but the images are not randomly generated on the spot due to some server limitation.

Anything I can do to enhance the security? Do I have to check the Page Referrer to prevent user to post from other places?

 

by: sybePosted on 2009-03-26 at 03:20:54ID: 23988712

An interesting method is the reverse captcha, http://www.ccs.uottawa.ca/webmaster/reverse-captcha.html

The basic is to add a form field which is invisible to users, so they will always leave it blank. Bots don't know that, and will enters something in it. That makes filtering easy.

 

by: warturtlePosted on 2009-03-26 at 03:25:35ID: 23988744

Yes, I would suggest putting a small javascript code for capturing IP address of the end-user. And make sure to advertise it on your website as well, just say 'IP Logged'. That might deter the random users of this script. Referer Check might also be a good idea.

For finding IP, just capture the HTTP variable REMOTE_ADDR and show it on the webpage. That might scare them. And over time, make sure to have a quick look at the logs and summarize the number of random access attempts, you might also be able to block IP if it continues.

 

by: ryancysPosted on 2009-03-26 at 08:00:44ID: 23991158

Hi sybe,

Interesting post for the Reverse Captcha!

Hi warturtle,

Yes, I guess I will suggest my client to allow to add the IP Address into the EmailBody, but think will not show the IP on the thank you page.


Let me sort it out (maybe combine suggestions above) and get back to you guys soon, thanks a lot guys ;^)

 

by: ryancysPosted on 2009-03-29 at 19:29:19ID: 24015675

Hi guys,

Btw, just thinking is that any scripts available that "smart" enough to detect the "way" of data entered, to diagnose whether the data entered is possibly from a bot/spam or not?

 

by: warturtlePosted on 2009-03-30 at 01:54:13ID: 24017006

I think it would be hard to find out unless you have some verifiable information that is entered such as a postcode or something which can be verified against a public database or something like that. Not sure what other experts think.

 

by: sybePosted on 2009-03-30 at 02:07:15ID: 24017063

You could have a javascript function that measures the time between object.focus() and object.blur() - That would give you the length of time a user has spend typing. The problem is that you need to include the results of this measurements in a (hidden) form field. A bot could give that form field any value.

 

by: ryancysPosted on 2009-03-30 at 02:18:22ID: 24017117

I'm adding the "HTTP_REFERER" comparison in my scripts, is this enough to prevent bot attacks?

 

by: warturtlePosted on 2009-03-30 at 03:04:18ID: 24017329

It is possible to spoof the HTTP_REFERER (http://www.datatrendsoftware.com/spoof.html), the checks on it might not be accurate. Plus, the internet is full of anonymous proxies that anyone can use to hide their actual location. But it might be worth trying to do that and see if it works that way.

I saw this another article, which mentions quite a unique way of doing things, what it does it that it will put a wrong form action URL and then change it with javascript onsubmit function. Since a bot is automated and doesn't understand javascript, it can be handled that way. Or alternatively, you could specify the form action within javascript code and skip form action in HTML altogether, that will not give anything away to automated bots and might help them keep at bay. Need to make sure that javascript is allowed on the client-side.

http://www.webdeveloper.com/forum/showthread.php?t=103677

 

by: ryancysPosted on 2009-04-03 at 06:57:13ID: 31562830

Thanks guys for the comments, some of the info here are very useful. Will ask again if I got similar problem in future. cheers

 

by: warturtlePosted on 2009-04-03 at 07:00:54ID: 24060025

Thanks for the feedback and happy to be of help :)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...