March 2, 2016

Classic ASP - Intro to User Input [x01]

This the beginning of a promised multi-part set of posts on Classic ASP. Why might I even write a post about such a dated language? Well, I personally maintain a very large chunk of Classic ASP for my job, but it also still has quite a foothold on the internet (including ASP.NET because .ASPX and other random decisions by Microsoft). Low and behold, the internet is still stuck on a lot of old, dated technology. These factors need to be kept in mind when evaluating the security of a site, web app, or any other web service.
Source: http://trends.builtwith.com/framework 

The Research Phase...

I made the terrible mistake of googling about for Classic ASP best security practices which led to some rather hilarious examples of horrible things to do. Granted, most articles were written five to ten years ago, soo... I guess they are excused. Either way, I found some good, some terrible, and some mildly in-between. I'll be sharing my opinions and the opinions of the others for the rest of these blog posts. Expect about one (maybe two) OWASP Top 10 items to appear in a post.

Let's Talk About User Input

Web, like all other types of programming, has areas where the user can input information. These are the areas which matter the most for almost ALL attacks. Before securing Classic ASP, you need to know how input from the user is gathered. Listed below are most (I'm not perfect) methods for obtaining information from the user.
  • Request.Form() -- Data in the POST body of a web request
  • Request.QueryString() -- Data in the request's URL query string (ex. foo.com?item=1)
  • Request.ServerVariables() -- Other data in the request (ex. User Agent, Referrer, etc)
    • ex. Request.ServerVariables("HTTP_USER_AGENT")
  • Request.Cookies() -- Cookies attached to the request
Refer to the MSDN Article on Request for more information.

These calls will be very important for almost every other post. As with most security practices, the user is to NEVER be trusted. It's always best to assume all users are malicious.

XKCD 327 - Bobby Tables (aka Why Not to Trust User Input)

That ends this part of my Classic ASP series. Up next is Cross-Site Scripting (XSS)... Stay tuned!

No comments:

Post a Comment

The S3 Bucket Problem - The Latest Vuln to Become Popular

Yes, yes, I'm late to the party, I know. Poorly secured Amazon S3 buckets have been a thing for a while now, but recently there's...