Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP General (http://www.velocityreviews.com/forums/f65-asp-general.html)
-   -   IIS Vulnerabilities (http://www.velocityreviews.com/forums/t800126-iis-vulnerabilities.html)

Nanda 12-01-2005 11:36 AM
IIS Vulnerabilities
 
Hi,
Can some please provide me tips on securing the ASP application from the
below vulnerabilities?
· Cross Site Scripting (XSS) Findings
· Cross Site Tracing - Trace Method Enabled
· HTTP Header CRLF Injection (HTTP Response Splitting)

I know that these can be handled on the code level, but since the
application I am working on is a huge and old one, it would be difficult to
start fixing these vulnerabilities at code level. Can anyone suggest me
something like the "ValidateRequest" or handling user Request object at
Global.asax just like in the DotNet world?

Thanks in advance

Bob Barrows [MVP] 12-01-2005 12:14 PM
Re: IIS Vulnerabilities
 
Nanda wrote:
> Hi,
> Can some please provide me tips on securing the ASP application from
> the below vulnerabilities?
> · Cross Site Scripting (XSS) Findings
> · Cross Site Tracing - Trace Method Enabled
> · HTTP Header CRLF Injection (HTTP Response Splitting)
>
> I know that these can be handled on the code level, but since the
> application I am working on is a huge and old one, it would be
> difficult to start fixing these vulnerabilities at code level. Can
> anyone suggest me something like the "ValidateRequest" or handling
> user Request object at Global.asax just like in the DotNet world?
>
There is nothing like that in classic asp. You will need to attack these
things at the code level. Do a google search on these terms and start
reading.

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Nanda 12-02-2005 05:12 AM
Re: IIS Vulnerabilities
 
Hi Bob,

Thanks a lot for the reply. However, as I said the application is huge and
there are many applications that have been running from years together. If I
start modifying the code at this point of time it will surely make things
worse. Does the installation of IIS Lockdown Tool and URL Scan help me in
doing this job?

Thanks,
Nanda

"Bob Barrows [MVP]" wrote:

> Nanda wrote:
> > Hi,
> > Can some please provide me tips on securing the ASP application from
> > the below vulnerabilities?
> > · Cross Site Scripting (XSS) Findings
> > · Cross Site Tracing - Trace Method Enabled
> > · HTTP Header CRLF Injection (HTTP Response Splitting)
> >
> > I know that these can be handled on the code level, but since the
> > application I am working on is a huge and old one, it would be
> > difficult to start fixing these vulnerabilities at code level. Can
> > anyone suggest me something like the "ValidateRequest" or handling
> > user Request object at Global.asax just like in the DotNet world?
> >
> There is nothing like that in classic asp. You will need to attack these
> things at the code level. Do a google search on these terms and start
> reading.
>
> --
> Microsoft MVP - ASP/ASP.NET
> Please reply to the newsgroup. This email account is my spam trap so I
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"
>
>
>

Bob Barrows [MVP] 12-02-2005 01:37 PM
Re: IIS Vulnerabilities
 
Sorry, no, AFAIK, those tools fix other things*. There is no magic bullet.

I'm not so sure things will be made "worse". Many of the coding practices
that make sites vulnerable to these exploits are programming shortcuts that,
while they do help get sites up and running quicker, actually lead to less
efficient, less robust applications.

I believe you're just going to have to bite the bullet on this one.

*I may be wrong about this, so you should get the opinions of the experts
over at .inetserver.iis. If I am wrong, don't be shy about letting me know.
I don't want to be giving bad advice.

Bob Barrows

Nanda wrote:
> Hi Bob,
>
> Thanks a lot for the reply. However, as I said the application is
> huge and there are many applications that have been running from
> years together. If I start modifying the code at this point of time
> it will surely make things worse. Does the installation of IIS
> Lockdown Tool and URL Scan help me in doing this job?
>
> Thanks,
> Nanda
>
> "Bob Barrows [MVP]" wrote:
>
>> Nanda wrote:
>>> Hi,
>>> Can some please provide me tips on securing the ASP application from
>>> the below vulnerabilities?
>>> · Cross Site Scripting (XSS) Findings
>>> · Cross Site Tracing - Trace Method Enabled
>>> · HTTP Header CRLF Injection (HTTP Response Splitting)
>>>
>>> I know that these can be handled on the code level, but since the
>>> application I am working on is a huge and old one, it would be
>>> difficult to start fixing these vulnerabilities at code level. Can
>>> anyone suggest me something like the "ValidateRequest" or handling
>>> user Request object at Global.asax just like in the DotNet world?
>>>
>> There is nothing like that in classic asp. You will need to attack
>> these things at the code level. Do a google search on these terms
>> and start reading.
>>
>> --
>> Microsoft MVP - ASP/ASP.NET
>> Please reply to the newsgroup. This email account is my spam trap so
>> I don't check it very often. If you must reply off-line, then remove
>> the "NO SPAM"

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


All times are GMT. The time now is 08:39 AM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57