?
Solved

XSS in Classic ASP

Posted on 2012-03-24
4
Medium Priority
?
747 Views
Last Modified: 2012-05-02
I have a giant sprawling site written in classic asp with many, many pages and forms. We are looking for a solution that can help protect against cross site scripting attacks. The ideal solution would be able to implement a custom regular expression (we would write that) globally or at the page level. We are aware of the standard solutions of validating input and encoding output using htmlEncode.

I need an out of the box solution here guys.

Possibility: Is there any way to override the Response Object or Response.Write in particular to have it validate before it writes...and similarly for the Request object?

Other info: We do have a file that is included into every page. This could be used to implement a page level solution quickly.

Thanks in advance for your brain power!
0
Comment
Question by:OEGrasshopper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 29

Assisted Solution

by:sammySeltzer
sammySeltzer earned 100 total points
ID: 37764094
Possibility: Is there any way to override the Response Object or Response.Write in particular to have it validate before it writes...and similarly for the Request object?

Can you show just a snippet of how you are currently writing the response object or response.write or request?

It would seem to be that some sort of verification process should already be in place.

It is  a bit harder to visualize your current situation without some sample code.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 200 total points
ID: 37765051
> .. with many, many pages and forms.
if you have many pages to protect, did you think about using a WAF?
I'm not suggesting a WAF *as* solution but excatly for what your asked for "for a solution that can help protect"
Do you have a web server (probably as transparent proxy) before your .asp applications (which is IIS, i guess)
0
 

Accepted Solution

by:
OEGrasshopper earned 0 total points
ID: 37902122
Hi everyone, thanks for your help. In the end we used a "page wrapper" solution. We put an include into each page that allows each page to serve as its own proxy. So every request to every page on the server re-requests itself with a server-side ajax call. Within the process of re-requesting we sanitize the querystring and form bodies.
0
 

Author Closing Comment

by:OEGrasshopper
ID: 37918417
It was a complicated question. By the time any answers came in we had come up with a basic approach.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question