Tips
To Prevent Improper Use Of Your ASP Scripts
By Wes DeMoney
Introduction
To protect your scripts, files, and databases, you need to ensure
that user entered data that your scripts process is legitimate.
Users can pass strange data to try and crash your scripts, learn
your database username and password, or vandalize your site.
This article outlines simple techniques that you can use to
prevent malicious users from messing with your ASP scripts.
Request Method
I have seen many cases where programmers cut corners and use
the generic Request() method to get their form data or query
string data. This is not good for two reasons. One reason, not
relating to security, is processing speed. The Request method
contains ServerVariables, QueryString, Form, Cookies, and ClientCertificate.
If you do not directly specify one, ASP will check ALL of them
to see if the variable you are looking for exists.
The security concern here is that users will be able to use
the plain old query string to pass form data. You may have a
hidden form field that contains secret, script- generated data,
and the user can now just pass whatever they want for that data
through the query string. Your scripts probably won't even check
this data to make sure it is legitimate because you think that
your script passed it.
To prevent this problem, use the POST method to submit your
forms and use Request.Form() to retrieve your data. If a user
tries to access your script without submitting the form, the
data returned will be empty:
Form Page
Processform.asp
intUID = Request.Form("UID") strNewEmail = Request.Form("Email")
Also, if a specific page is only meant to be access with form
data posted to it, you can make sure that this is the case.
To do this, check the HTTP header "REQUEST_METHOD". If it's
a form POST, then the value should be "POST". Use Request.ServerVariables()
to retrieve this header value:
If Request.ServerVariables("REQUEST_METHOD") <> "POST" Then
Response.End End If
The code above checks to see if the "REQUEST_METHOD" isn't "POST"
and if it isn't, then the script terminates with Response.End.
Check Referer Note that referer is spelt wrong in terms of the
dictionary, but seeing as how it is misspelled in the HTTP protocol,
which we are using, I will use the misspelled version. Checking
the referer is good for pages that accept query string data
and form data. Your scripts can check the referer data to make
sure that it matches the domain of your site. When taking query
string data, you can prevent users from typing in the URL to
pass different data, or other sites from making links to pass
different data. When taking form data, you can make sure that
the form was submitted from your site, not a form someone put
on their own web site.
HTTP_REFERER is another HTTP header, just like REQUEST_METHOD,
and it can be accessed in the same way. The value returned will
either be a full URL, if coming from a link or form post, or
nothing, if the user typed in the URL directly.
I wrote the nifty function below that will check the referer
and return True if the referer matches the domain the script
is on, or False if it doesn't, or if there is no referer at
all:
Public Function CheckReferer()
On Error Resume Next Dim strHost, strReferer, blnCheckReferer
strHost = Request.ServerVariables("HTTP_HOST") strReferer =
Request.ServerVariables("HTTP_REFERER") strReferer = Right(strReferer,
Len(strReferer) - (InStr(1, strReferer, "://") + 2)) strReferer
= Left(strReferer, InStr(1, strReferer, "/") - 1)
If strReferer = strHost Then blnCheckReferer = True Else blnCheckReferer
= False End If
CheckReferer = blnCheckReferer
End Function
Validate Data You need to validate all of the data that has
been input by a user, to avoid SQL injection attacks. This seems
like a simple idea, but it is where most of your malicious attacks
can occur. Make sure data that is supposed to be numeric truly
is, and that strings don't contain weird (read: any non alphanumeric)
characters. To validate number variables, make sure that they
contain a value, that the value is numeric, and if the number
is a database ID that it isn't less than 0. If it doesn't meet
these conditions, set it as 0 to prevent any problems.
If intID = "" OR IsNumeric(intID) = False OR intID < 0 Then
intID = 0 End If
To validate strings, make sure they don't contain specific program
statements. If your string will be a filename, make sure that
the user doesn't pass path data, such as slashes and dots (ex:
"../"), or extensions like "exe". If your string will be executed
as a database query, then check that it doesn't contain "--",
";", and possibly the SQL commands like "SELECT", "INSERT"
Also, be sure to escape all single quotes by changing them to
two single quotes (''). When retrieved, the two single quotes
will be escaped and returned as one.
Finally, for any data that will be retrieved and displayed on
a webpage, make sure you HTMLEncode it so that the user can't
insert any HTML tags into your site.
strData = Replace(strData, "../", "") strData = Replace(strData,
"--", "") strData = Replace(strData, ";", "") strData = Replace(strData,
"'", "''") strData = Server.HTMLEncode(strData)
Conclusion
In this article we've looked at some basic ways in which you
can reduce the likeliness of users interacting with your scripts
in unforeseen ways. Of course, you can only prevent a limited
amount of interaction by "patching" your scripts –- IIS is the
main culprit of many a worm, virus, or attack, so make sure
you use the Windows update feature to keep IIS patched up and
secure –- it could end up saving your web site!
Do you have any more tips on how to prevent your scripts from
being misused? Visit the forum
thread for this article to tell us about them!
About the Author
Wes is one of the minds behind infinetSoftware. InfinetSoftware
are the developers of Real Assistant, which is a real-time ASP
based live support application.
Many more Java, ASP, PHP, .NET and C++ articles like this one
are available at http://www.devarticles.com.
If you're in search of free scripts to help make your life as
a developer easier, why not checkout http://www.devscripts.com |
Click
here to signup for WebProASP!
|
