how to prevent null byte injection from querystring

Question

The Nessus Vulnerability Scanner was run against a legacy code website. There's a lot of advice about how to prevent null byte injection attacks with PHP but I cannot find anything about fixing this in classic ASP with VBScript.

Here's the scanner's attack on our public site:

http://www.mortgagedataweb.com/mds/marketshare/ParmsV2.asp?Menu=%00<"kzwezl%20>

I've tried to add validity checking to the QueryString input but my efforts have not worked. Something about the %00 results in masking my attempts to check for proper values. Here are some relevant code snippets:

Function getUserInput(input)    
    Dim newString
    If Len(input) = 0 Then
        getUserInput = ""
        Exit Function
    End If
    newString = input        'this was omitted in original post but was in fact in the code
    newString = Replace(newString, Chr(0), "")  'I thought this would fix it !  
    newString = Replace(newString, "--", "")
    newString = Replace(newString, ";", "")          
    newString = Replace(newString, Chr(34),"'") 
    newString = Replace(newString, "'", "") 
    newString = Replace(newString, "=", "=") 
    newString = Replace(newString, "(", "[") 
    newString = Replace(newString, ")", "]")
    newString = Replace(newString, "'", "''")
    newString = Replace(newString, "<", "[")
    newString = Replace(newString, ">", "]")  
    newString = Replace(newString, "/*", "/") 
    newString = Replace(newString, "*/", "/")
    getUserInput = newString
End Function

implied_Menu = UCase(getUserInput(Request.QueryString("Menu")))  'store Menu value for Fast-Path link
Select Case implied_Menu
    Case "FHA_ZP", "C_ZP", "J_ZP", "F_ZP"
        implied_SQLName = MARKETSHAREZip
    Case "P_ALL", "P_MA", "P_ST", "P_ZP", "P_CT", "P_NATION"
        implied_SQLName = PMIMARKETSHARE
    Case "FHA_ALL_D", "FHA_MA_D", "FHA_ST_D", "FHA_CT_D", "FHA_ZP_D", "FHA_NATION_D"
        implied_SQLName = FHAMARKETSHAREDETAILS
    Case ""
        implied_SQLName = MARKETSHARE
    Case Else
        Response.Write("<h2>Invalid Menu parameter</h2>")
        Response.End
End Select

The Menu values that are proper are either:

• totally missing (that is, Menu= is not in the QueryString)
• part of series of valid values as sketched in the Select Case logic above

On my development machine, I can change %00 to %0 and have the error flagged with the Response.Write message then Response.End, but something about the %00 gets past my attempts to check it.

Answer 1

I would suggest to handle this with a reqular expression:

function getUserInput(sInput)
    Dim obj_regex
    Set obj_regex = New RegExp

    obj_regex.IgnoreCase = true
    obj_regex.Global = true
    obj_regex.Pattern = "\W"

    getUserInput = obj_regex.Replace(sInput, "")
    set obj_regex = Nothing
end function

Since all your menu entries are only alphanumeric characters and underscore, you can replace every other character.