Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Anti XSS and Classic ASP

I'm currently trying to secure my classic ASP application from XSS. I came across the AntiXSS from Microsoft on the net and I was wondering if this would work with a classic application?

If not do you have any ideas how I could go about sanitizing the strings?

like image 917
Steoates Avatar asked Apr 07 '09 13:04

Steoates


3 Answers

To sanitize strings I would HTML encode all output, that way you don't have to dink around with special characters or huge regex expressions

Server.HTMLEncode(string) 

The two most important countermeasures to prevent cross-site scripting attacks are to:

  • Constrain input.
  • Encode output.

via How To: Prevent Cross-Site Scripting in ASP.NET (i know i'ts not classic asp but there are similar principals)

like image 107
missaghi Avatar answered Nov 09 '22 14:11

missaghi


When functions don't exist in classic ASP, write them.

Add and strip slashes

<%
    ' Copyright (c) 2009, reusablecode.blogspot.com; some rights reserved.
    '
    ' This work is licensed under the Creative Commons Attribution License. To view
    ' a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or
    ' send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California
    ' 94305, USA.
 
    ' Despite the identical naming, these functions are more comprehensive than their PHP equivalents. 
    ' They go above and beyond even mysql_real_escape_string(), by including support for backspace and horizontal tab.
 
    ' List of characters handled:
    ' \000 null
    ' \010 backspace
    ' \011 horizontal tab
    ' \012 new line
    ' \015 carriage return
    ' \032 substitute
    ' \042 double quote
    ' \047 single quote
    ' \134 backslash
    ' \140 grave accent
 
    ' Returns a string with backslashes before characters that need to be quoted in database queries
    function addslashes(unsafeString)
        dim regEx
 
        set regEx = new RegExp
 
        with regEx
            .Global = true
            .IgnoreCase = true
            .Pattern = "([\000\010\011\012\015\032\042\047\134\140])"
        end with
 
        addslashes = regEx.replace(unsafeString, "\$1")
 
        set regEx = nothing
    end function
 
    ' Un-quote string quoted with addslashes()
    function stripslashes(safeString)
        dim regEx
 
        set regEx = new RegExp
 
        with regEx
            .Global = true
            .IgnoreCase = true
            .Pattern = "\\([\000\010\011\012\015\032\042\047\134\140])"
        end with
 
        stripslashes = regEx.replace(safeString, "$1")
 
        set regEx = nothing
    end function
%>

htmlspecialchars()

<%
    ' Copyright (c) 2009, reusablecode.blogspot.com; some rights reserved.
    '
    ' This work is licensed under the Creative Commons Attribution License. To view
    ' a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or
    ' send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California
    ' 94305, USA.
 
    ' Convert special characters to HTML entities.
    function htmlspecialchars(someString)
        ' Critical that ampersand is converted first, since all entities contain them.
        htmlspecialchars = replace(replace(replace(replace(someString, "&", "&amp;"), ">", "&gt;"), "<", "&lt;"), """", "&quot;")
    end function
 
    ' Convert HTML entities to special characters.
    function htmlspecialchars_decode(someString)
        htmlspecialchars_decode = replace(replace(replace(replace(someString, "&amp;", "&"), "&gt;", ">"), "&lt;", "<"), "&quot;", """")
    end function
%>

strip_tags()

<%
    ' Copyright (c) 2008, reusablecode.blogspot.com; some rights reserved.
    '
    ' This work is licensed under the Creative Commons Attribution License. To view
    ' a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or
    ' send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California
    ' 94305, USA.
 
    ' Strip HTML/ASP/PHP tags from a string.
    function strip_tags(unsafeString)
        dim regEx
 
        set regEx = new RegExp
 
        with regEx
            .Global = true
            .IgnoreCase = true
            .Pattern = "(\<(/?[^\>]+)\>)"
        end with
 
        strip_tags = regEx.Replace(unsafeString, "")
 
        set regEx = nothing
    end function
%>
like image 34
Scott Avatar answered Nov 09 '22 13:11

Scott


If you do have to allow certain HTML tags (as I do in my current project), you can use a regex to allow only those tags and no others, like so:

set objRegExp = new RegExp
with objRegExp
    .Pattern = "<^((b)|(i)|(em)|(strong)|(br))>.*</.*>"
    .IgnoreCase = varIgnoreCase
    .Global = True
end with
cleanString = objRegExp.replace(originalString, "")
like image 39
Dave DuPlantis Avatar answered Nov 09 '22 13:11

Dave DuPlantis