Solved

XSS in Classic ASP

Posted on 2012-03-24
4
736 Views
Last Modified: 2012-05-02
I have a giant sprawling site written in classic asp with many, many pages and forms. We are looking for a solution that can help protect against cross site scripting attacks. The ideal solution would be able to implement a custom regular expression (we would write that) globally or at the page level. We are aware of the standard solutions of validating input and encoding output using htmlEncode.

I need an out of the box solution here guys.

Possibility: Is there any way to override the Response Object or Response.Write in particular to have it validate before it writes...and similarly for the Request object?

Other info: We do have a file that is included into every page. This could be used to implement a page level solution quickly.

Thanks in advance for your brain power!
0
Comment
Question by:OEGrasshopper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 28

Assisted Solution

by:sammySeltzer
sammySeltzer earned 50 total points
ID: 37764094
Possibility: Is there any way to override the Response Object or Response.Write in particular to have it validate before it writes...and similarly for the Request object?

Can you show just a snippet of how you are currently writing the response object or response.write or request?

It would seem to be that some sort of verification process should already be in place.

It is  a bit harder to visualize your current situation without some sample code.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 100 total points
ID: 37765051
> .. with many, many pages and forms.
if you have many pages to protect, did you think about using a WAF?
I'm not suggesting a WAF *as* solution but excatly for what your asked for "for a solution that can help protect"
Do you have a web server (probably as transparent proxy) before your .asp applications (which is IIS, i guess)
0
 

Accepted Solution

by:
OEGrasshopper earned 0 total points
ID: 37902122
Hi everyone, thanks for your help. In the end we used a "page wrapper" solution. We put an include into each page that allows each page to serve as its own proxy. So every request to every page on the server re-requests itself with a server-side ajax call. Within the process of re-requesting we sanitize the querystring and form bodies.
0
 

Author Closing Comment

by:OEGrasshopper
ID: 37918417
It was a complicated question. By the time any answers came in we had come up with a basic approach.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It is becoming increasingly popular to have a front-page slider on a web site. Nearly every TV website,  magazine or online news has one on their site, and even some e-commerce sites have one. Today you can use sliders with Joomla, WordPress or …
Recently I have been answering a lot of questions like this in IT forums that I frequent. The question posed is usually something along the lines of "We have software X installed and need to uninstall it for reason Y" or some other variant of the sa…
Learn the basics of strings in Python: declaration, operations, indices, and slicing. Strings are declared with quotations; for example: s = "string": Strings are immutable.: Strings may be concatenated or multiplied using the addition and multiplic…
The viewer will learn how to dynamically set the form action using jQuery.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question