[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Problems with page

Posted on 2014-02-19
1
Medium Priority
?
430 Views
Last Modified: 2014-02-19
I have a page that filters a recordset, creates a session variable then redirects.

I ran a scan and found the following vulnerabilities:

---

Server responded 200 to unnecessarily large random request body(over 64 KB) for URL https://www.domain... etc ... , significantly increasing attacker's chances to prolong slow HTTP POST attack.

It has been detected by exploiting the parameter ASPSESSIONIDSUTBABRD
The payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication:
In order to detect this content, no authentication has been required.
Access Path:
Here is the path followed by the scanner to reach the exploitable URL:

How can I secure this page to prevent this errors from happening ?
code.txt
0
Comment
Question by:amucinobluedot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 54

Accepted Solution

by:
Scott Fell,  EE MVE earned 2000 total points
ID: 39870962
For sure you need to turn off parent paths.  It was common prior to iis7 to have them on. Then iis7 turned this off by default and many asp dev's turned it on so their scripts would not break.   The parent path thing can allow people to get outside of your web root.

http://www.iis.net/learn/application-frameworks/running-classic-asp-applications-on-iis-7-and-iis-8/classic-asp-parent-paths-are-disabled-by-default

The only thing you will need to change in your scripts for the most part are your include files.

This
<!--#include file="Connections.asp" -->
Would convert to
<!--#include virtual="/Connections.asp" -->
Or if it is in your connections folder
<!--#include virtual="/connections/Connections.asp" -->

Basically, links starting with ../ will need to be converted.


Why are you using client side to go to the next page?
<script language="javascript">
window.location.href="forgotpasswordsent.asp";
</script>

Open in new window

response.redirect will do it on the server before the page renders.
<%
response.redirect("forgotpasswordsent.asp")
%>

Open in new window

0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question