XSS in Classic ASP

I have a giant sprawling site written in classic asp with many, many pages and forms. We are looking for a solution that can help protect against cross site scripting attacks. The ideal solution would be able to implement a custom regular expression (we would write that) globally or at the page level. We are aware of the standard solutions of validating input and encoding output using htmlEncode.

I need an out of the box solution here guys.

Possibility: Is there any way to override the Response Object or Response.Write in particular to have it validate before it writes...and similarly for the Request object?

Other info: We do have a file that is included into every page. This could be used to implement a page level solution quickly.

Thanks in advance for your brain power!
OEGrasshopperAsked:
Who is Participating?
 
OEGrasshopperConnect With a Mentor Author Commented:
Hi everyone, thanks for your help. In the end we used a "page wrapper" solution. We put an include into each page that allows each page to serve as its own proxy. So every request to every page on the server re-requests itself with a server-side ajax call. Within the process of re-requesting we sanitize the querystring and form bodies.
0
 
sammySeltzerConnect With a Mentor Commented:
Possibility: Is there any way to override the Response Object or Response.Write in particular to have it validate before it writes...and similarly for the Request object?

Can you show just a snippet of how you are currently writing the response object or response.write or request?

It would seem to be that some sort of verification process should already be in place.

It is  a bit harder to visualize your current situation without some sample code.
0
 
ahoffmannConnect With a Mentor Commented:
> .. with many, many pages and forms.
if you have many pages to protect, did you think about using a WAF?
I'm not suggesting a WAF *as* solution but excatly for what your asked for "for a solution that can help protect"
Do you have a web server (probably as transparent proxy) before your .asp applications (which is IIS, i guess)
0
 
OEGrasshopperAuthor Commented:
It was a complicated question. By the time any answers came in we had come up with a basic approach.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.