[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

XSS in Classic ASP

Posted on 2012-03-24
4
Medium Priority
?
753 Views
Last Modified: 2012-05-02
I have a giant sprawling site written in classic asp with many, many pages and forms. We are looking for a solution that can help protect against cross site scripting attacks. The ideal solution would be able to implement a custom regular expression (we would write that) globally or at the page level. We are aware of the standard solutions of validating input and encoding output using htmlEncode.

I need an out of the box solution here guys.

Possibility: Is there any way to override the Response Object or Response.Write in particular to have it validate before it writes...and similarly for the Request object?

Other info: We do have a file that is included into every page. This could be used to implement a page level solution quickly.

Thanks in advance for your brain power!
0
Comment
Question by:OEGrasshopper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 29

Assisted Solution

by:sammySeltzer
sammySeltzer earned 100 total points
ID: 37764094
Possibility: Is there any way to override the Response Object or Response.Write in particular to have it validate before it writes...and similarly for the Request object?

Can you show just a snippet of how you are currently writing the response object or response.write or request?

It would seem to be that some sort of verification process should already be in place.

It is  a bit harder to visualize your current situation without some sample code.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 200 total points
ID: 37765051
> .. with many, many pages and forms.
if you have many pages to protect, did you think about using a WAF?
I'm not suggesting a WAF *as* solution but excatly for what your asked for "for a solution that can help protect"
Do you have a web server (probably as transparent proxy) before your .asp applications (which is IIS, i guess)
0
 

Accepted Solution

by:
OEGrasshopper earned 0 total points
ID: 37902122
Hi everyone, thanks for your help. In the end we used a "page wrapper" solution. We put an include into each page that allows each page to serve as its own proxy. So every request to every page on the server re-requests itself with a server-side ajax call. Within the process of re-requesting we sanitize the querystring and form bodies.
0
 

Author Closing Comment

by:OEGrasshopper
ID: 37918417
It was a complicated question. By the time any answers came in we had come up with a basic approach.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:   The Exchange of informatio…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question