IIS Vulnerabilities

N

Nanda

Hi,
Can some please provide me tips on securing the ASP application from the
below vulnerabilities?
· Cross Site Scripting (XSS) Findings
· Cross Site Tracing - Trace Method Enabled
· HTTP Header CRLF Injection (HTTP Response Splitting)

I know that these can be handled on the code level, but since the
application I am working on is a huge and old one, it would be difficult to
start fixing these vulnerabilities at code level. Can anyone suggest me
something like the "ValidateRequest" or handling user Request object at
Global.asax just like in the DotNet world?

Thanks in advance
 
B

Bob Barrows [MVP]

Nanda said:
Hi,
Can some please provide me tips on securing the ASP application from
the below vulnerabilities?
· Cross Site Scripting (XSS) Findings
· Cross Site Tracing - Trace Method Enabled
· HTTP Header CRLF Injection (HTTP Response Splitting)

I know that these can be handled on the code level, but since the
application I am working on is a huge and old one, it would be
difficult to start fixing these vulnerabilities at code level. Can
anyone suggest me something like the "ValidateRequest" or handling
user Request object at Global.asax just like in the DotNet world?
Click to expand...
There is nothing like that in classic asp. You will need to attack these
things at the code level. Do a google search on these terms and start
reading.
 
N

Nanda

Hi Bob,

Thanks a lot for the reply. However, as I said the application is huge and
there are many applications that have been running from years together. If I
start modifying the code at this point of time it will surely make things
worse. Does the installation of IIS Lockdown Tool and URL Scan help me in
doing this job?

Thanks,
Nanda
 
B

Bob Barrows [MVP]

Sorry, no, AFAIK, those tools fix other things*. There is no magic bullet.

I'm not so sure things will be made "worse". Many of the coding practices
that make sites vulnerable to these exploits are programming shortcuts that,
while they do help get sites up and running quicker, actually lead to less
efficient, less robust applications.

I believe you're just going to have to bite the bullet on this one.

*I may be wrong about this, so you should get the opinions of the experts
over at .inetserver.iis. If I am wrong, don't be shy about letting me know.
I don't want to be giving bad advice.

Bob Barrows
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

So called cross-site (XSS) vulnerabilities: a new fraud or a stupidme? 1
Web Based Hosting Services from Tardis 0
Add Security functionalities to Struts 0
ANN: eGenix pyOpenSSL Distribution 0.13.1.1.0.1.5 0
[ANN] Samizdat 0.6.2: Security, Plugins, Flowplayer 3
Can't use forms authentication when using IIS 5
Regarding IIS Security. 0
ASP.Net does not work after IIS uninstall/reinstall 4

Members online

No members online now.
Total: 23 (members: 0, guests: 23)
Robots: 236

Forum statistics

Threads
473,755
Messages
2,569,537
Members
45,022
Latest member
MaybelleMa

Latest Threads

Top