Solved

XSS in Classic ASP

Posted on 2012-03-24
4
726 Views
Last Modified: 2012-05-02
I have a giant sprawling site written in classic asp with many, many pages and forms. We are looking for a solution that can help protect against cross site scripting attacks. The ideal solution would be able to implement a custom regular expression (we would write that) globally or at the page level. We are aware of the standard solutions of validating input and encoding output using htmlEncode.

I need an out of the box solution here guys.

Possibility: Is there any way to override the Response Object or Response.Write in particular to have it validate before it writes...and similarly for the Request object?

Other info: We do have a file that is included into every page. This could be used to implement a page level solution quickly.

Thanks in advance for your brain power!
0
Comment
Question by:OEGrasshopper
  • 2
4 Comments
 
LVL 28

Assisted Solution

by:sammySeltzer
sammySeltzer earned 50 total points
Comment Utility
Possibility: Is there any way to override the Response Object or Response.Write in particular to have it validate before it writes...and similarly for the Request object?

Can you show just a snippet of how you are currently writing the response object or response.write or request?

It would seem to be that some sort of verification process should already be in place.

It is  a bit harder to visualize your current situation without some sample code.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 100 total points
Comment Utility
> .. with many, many pages and forms.
if you have many pages to protect, did you think about using a WAF?
I'm not suggesting a WAF *as* solution but excatly for what your asked for "for a solution that can help protect"
Do you have a web server (probably as transparent proxy) before your .asp applications (which is IIS, i guess)
0
 

Accepted Solution

by:
OEGrasshopper earned 0 total points
Comment Utility
Hi everyone, thanks for your help. In the end we used a "page wrapper" solution. We put an include into each page that allows each page to serve as its own proxy. So every request to every page on the server re-requests itself with a server-side ajax call. Within the process of re-requesting we sanitize the querystring and form bodies.
0
 

Author Closing Comment

by:OEGrasshopper
Comment Utility
It was a complicated question. By the time any answers came in we had come up with a basic approach.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
This article will show, step by step, how to integrate R code into a R Sweave document
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now