IIS Vulnerabilities

Discussion in 'ASP General' started by Nanda, Dec 1, 2005.

  1. Nanda

    Nanda Guest

    Hi,
    Can some please provide me tips on securing the ASP application from the
    below vulnerabilities?
    · Cross Site Scripting (XSS) Findings
    · Cross Site Tracing - Trace Method Enabled
    · HTTP Header CRLF Injection (HTTP Response Splitting)

    I know that these can be handled on the code level, but since the
    application I am working on is a huge and old one, it would be difficult to
    start fixing these vulnerabilities at code level. Can anyone suggest me
    something like the "ValidateRequest" or handling user Request object at
    Global.asax just like in the DotNet world?

    Thanks in advance
     
    Nanda, Dec 1, 2005
    #1
    1. Advertising

  2. Nanda wrote:
    > Hi,
    > Can some please provide me tips on securing the ASP application from
    > the below vulnerabilities?
    > · Cross Site Scripting (XSS) Findings
    > · Cross Site Tracing - Trace Method Enabled
    > · HTTP Header CRLF Injection (HTTP Response Splitting)
    >
    > I know that these can be handled on the code level, but since the
    > application I am working on is a huge and old one, it would be
    > difficult to start fixing these vulnerabilities at code level. Can
    > anyone suggest me something like the "ValidateRequest" or handling
    > user Request object at Global.asax just like in the DotNet world?
    >

    There is nothing like that in classic asp. You will need to attack these
    things at the code level. Do a google search on these terms and start
    reading.

    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows [MVP], Dec 1, 2005
    #2
    1. Advertising

  3. Nanda

    Nanda Guest

    Hi Bob,

    Thanks a lot for the reply. However, as I said the application is huge and
    there are many applications that have been running from years together. If I
    start modifying the code at this point of time it will surely make things
    worse. Does the installation of IIS Lockdown Tool and URL Scan help me in
    doing this job?

    Thanks,
    Nanda

    "Bob Barrows [MVP]" wrote:

    > Nanda wrote:
    > > Hi,
    > > Can some please provide me tips on securing the ASP application from
    > > the below vulnerabilities?
    > > · Cross Site Scripting (XSS) Findings
    > > · Cross Site Tracing - Trace Method Enabled
    > > · HTTP Header CRLF Injection (HTTP Response Splitting)
    > >
    > > I know that these can be handled on the code level, but since the
    > > application I am working on is a huge and old one, it would be
    > > difficult to start fixing these vulnerabilities at code level. Can
    > > anyone suggest me something like the "ValidateRequest" or handling
    > > user Request object at Global.asax just like in the DotNet world?
    > >

    > There is nothing like that in classic asp. You will need to attack these
    > things at the code level. Do a google search on these terms and start
    > reading.
    >
    > --
    > Microsoft MVP - ASP/ASP.NET
    > Please reply to the newsgroup. This email account is my spam trap so I
    > don't check it very often. If you must reply off-line, then remove the
    > "NO SPAM"
    >
    >
    >
     
    Nanda, Dec 2, 2005
    #3
  4. Sorry, no, AFAIK, those tools fix other things*. There is no magic bullet.

    I'm not so sure things will be made "worse". Many of the coding practices
    that make sites vulnerable to these exploits are programming shortcuts that,
    while they do help get sites up and running quicker, actually lead to less
    efficient, less robust applications.

    I believe you're just going to have to bite the bullet on this one.

    *I may be wrong about this, so you should get the opinions of the experts
    over at .inetserver.iis. If I am wrong, don't be shy about letting me know.
    I don't want to be giving bad advice.

    Bob Barrows

    Nanda wrote:
    > Hi Bob,
    >
    > Thanks a lot for the reply. However, as I said the application is
    > huge and there are many applications that have been running from
    > years together. If I start modifying the code at this point of time
    > it will surely make things worse. Does the installation of IIS
    > Lockdown Tool and URL Scan help me in doing this job?
    >
    > Thanks,
    > Nanda
    >
    > "Bob Barrows [MVP]" wrote:
    >
    >> Nanda wrote:
    >>> Hi,
    >>> Can some please provide me tips on securing the ASP application from
    >>> the below vulnerabilities?
    >>> · Cross Site Scripting (XSS) Findings
    >>> · Cross Site Tracing - Trace Method Enabled
    >>> · HTTP Header CRLF Injection (HTTP Response Splitting)
    >>>
    >>> I know that these can be handled on the code level, but since the
    >>> application I am working on is a huge and old one, it would be
    >>> difficult to start fixing these vulnerabilities at code level. Can
    >>> anyone suggest me something like the "ValidateRequest" or handling
    >>> user Request object at Global.asax just like in the DotNet world?
    >>>

    >> There is nothing like that in classic asp. You will need to attack
    >> these things at the code level. Do a google search on these terms
    >> and start reading.
    >>
    >> --
    >> Microsoft MVP - ASP/ASP.NET
    >> Please reply to the newsgroup. This email account is my spam trap so
    >> I don't check it very often. If you must reply off-line, then remove
    >> the "NO SPAM"


    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
     
    Bob Barrows [MVP], Dec 2, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. wijhierbeneden

    vulnerabilities

    wijhierbeneden, Oct 21, 2004, in forum: C++
    Replies:
    5
    Views:
    1,410
    Christopher Benson-Manica
    Oct 22, 2004
  2. Dave Vandervies

    Re: vulnerabilities

    Dave Vandervies, Oct 22, 2004, in forum: C++
    Replies:
    3
    Views:
    359
    Dan Pop
    Oct 22, 2004
  3. wijhierbeneden

    vulnerabilities

    wijhierbeneden, Oct 21, 2004, in forum: C Programming
    Replies:
    72
    Views:
    1,586
    Peter Pichler
    Nov 6, 2004
  4. jacob navia

    A good article about vulnerabilities

    jacob navia, Oct 23, 2004, in forum: C Programming
    Replies:
    1
    Views:
    301
    Chris Torek
    Oct 23, 2004
  5. John W. Long
    Replies:
    3
    Views:
    124
    Hugh Sasse Staff Elec Eng
    Aug 26, 2003
Loading...

Share This Page