HOWTO: Review ASP Code for CSSI Vulnerability

ID: Q253119

The information in this article applies to:
  • Dynamically Generated HTML Pages

SUMMARY

The following article discusses how to identify and correct ASP applications that are susceptible to CSSI (Cross-Site Scripting Security Issues). Only input which is not correctly validated or formatted makes your application vulnerable to attack.


MORE INFORMATION

The following steps help you identify and correct ASP applications susceptible to CSSI:

  1. Look for ASP code that generates HTML to be displayed. ASP writes HTML to the output in two ways: 
    1. 
Response.Write 


    2. 
<% =




  2. Determine whether the HTML output includes input parameters. These parameters can come from a variety of sources. The following list includes common input sources:

    Input Source Sample of ASP Code Access Method
    Request.Form Collection 
    
Response.Write Request.Form("username")
    Request.QueryString Collection 
    
<%=Request.QueryString("username")%> 
    
Response.Write Request.QueryString("username") 
    
<a href="http://mysite/showuser.asp?username=<% = 
Request.QueryString("username") %>">mypage</a> 
    
<a href="http://mysite/mypage.asp"><%=Request.QueryString("url")%></a>
    Request Object 
    
Response.Write("username")
    Databases / Data Access Methods 
    
Do While Not rst.EOF
	Response.Write rst("myfield") & "<br>"
	rst.MoveNext
Loop
    Cookies Collection 
    
Response.Write Request.Cookie("username")
    Session and Application Variables 
    
Response.Write Session("username")


  3. When you find ASP code that generates HTML using some input, you need to evaluate solutions for your specific application. The solutions below present some general concepts to help you begin prevention of CSSI.

    Please note that when filtering or encoding, you need to specify a character set for your Web pages to ensure that your filter is checking for the appropriate special characters. The data inserted into your Web pages should filter out byte sequences that are considered special based on the specific character set. A popular charset is ISO 8859-1, which was the default in early versions of HTML and HTTP. You must take into account localization issues when changing these parameters.

    • Use HTMLEncode to encode input parameters when generating display.
      In general, most CSSI attacks can be prevented simply by using HTMLEncode on input parameters. HTMLEncoding works by replacing characters that have special meanings in HTML to HTML variables that represent those characters; (for example, &amp; = &, &quot; = "). Please note that only the data needs to be encoded, and not the full strings. 
      
<% Response.Write("Hello visitor <I>" +
      Server.HTMLEncode(Request.Form("UserName")) +
      "</I>");
%>


    • HTTP_Referer can be used to limit the domain from which requests can be submitted.
      HTTP_Referer Returns a string containing the URL of the original request when a redirect has occurred. Web servers could check the referrer field when receiving a filled-in form, and reject it if it didn't come from the right place. You can check the HTTP_Referer in the following way:
      
   <%
   If (Request.ServerVariables("HTTP_REFERER") = "") Or _
      (Left(Request.ServerVariables("HTTP_REFERER"),42) <> _
      "http://www.myserver.com/AppDir/mainfrm.asp") Then
      Response.Redirect "http://www.myserver.com/AppDir/mainfrm.asp"
   End If
   %>

      NOTE: The referrer field has some limitations:
      1. You risk blocking legitimate form submissions.


      2. The link may come from an e-mail or bookmark that does not have a URL.


      3. Browsers may deliberately clear the referrer field, such as during an HTTPS request.




    • Use URLEncode to encode URLs received as input parameters.
      The URLEncode method applies URL encoding rules, including escape characters, to a specified string. You should encode incoming URLs before displaying them. Here is a sample for URLEncode:
      
<%
      var BaseURL = http://www.mysite.com/search2.asp?searchagain=;
      Response.write("<a href=\"" + BaseUrl +
      Server.URLEncode(Request.QueryString("SearchString")) +
      "\">click-me</a>");
%>


    • Strip or modify special characters from input parameters.
      Special characters include the following:
      
< > " ' % ; ) ( & +

      You can strip or modify characters when you read them in or when you display them to the browser depending on your application.

      This sample uses JavaScript to filter special characters:
      
function RemoveBad(strTemp) {
   	strTemp = strTemp.replace(/\</g,"");
   	strTemp = strTemp.replace(/\>/g,"");
   	strTemp = strTemp.replace(/\"/g,"");
   	strTemp = strTemp.replace(/\'/g,"");
   	strTemp = strTemp.replace(/\%/g,"");
   	strTemp = strTemp.replace(/\;/g,"");
   	strTemp = strTemp.replace(/\(/g,"");
   	strTemp = strTemp.replace(/\)/g,"");
   	strTemp = strTemp.replace(/\&/g,"");
   	strTemp = strTemp.replace(/\+/g,"");
   	strTemp = strTemp.replace(/\-/g,"");
   	return strTemp;
}
</script>


      This sample uses Visual Basic Script version 5.0 regular expressions to filter special characters:
      
Function ValidateTags(QueryString)
	Dim o
	Set o = CreateObject("VBScript.RegExp") ' -> VB Script 5.0

	Dim sBad

	sBad = "(<\s*(script|object|applet|embed|form)\s*>)" 		' <  script xxx >
	sbad = sbad & "|" & "(<.*>)"   		' >xxxxx<  warning includes hyperlinks and stuff between > and <
	sbad = sbad & "|" & "(&.{1,5};)"	' &xxxx;
	sbad = sbad & "|" & "eval\s*\("		' eval  ( 
 	sbad = sbad & "|" & "(event\s*=)"	' event  =
	
	'Now lets check for encoding
	sbad = Replace(sbad,"<", "(<|%60|&lt;)")
	sbad = Replace(sbad,">", "(>|%62|&gt;)")
	
	o.IgnoreCase = True 'ignore case of string
	o.Global =False 'stop on first hit

	o.Pattern = sBad

	ValidateTags = o.Test(QueryString)

	Set o = Nothing
End Function





REFERENCES

The third-party contact information included in this article is provided to help you find the technical support you need. This contact information is subject to change without notice. Microsoft in no way guarantees the accuracy of this third-party contact information.

For more information, see the following advisory from the Computer Emergency Response Team (CERT) at Carnegie Mellon University:

http://www.cert.org/advisories/CA-2000-02.html
Please see the following Knowledge Base articles for further information:
Q252985 HOWTO: Prevent Cross-Site Scripting Security Issues For Web Applications
Q253121 HOWTO: Review MTS/ASP Code for CSSI Vulnerability
Q253120 HOWTO: Review Visual InterDev Generated Code for CSSI Vulnerability
Q253117 HOWTO: Prevent Internet Explorer and Outlook Express CSSI Vulnerability

Additional query words:

Keywords : kbGrpASP kbDSupport kbCSSI
Version :
Platform :
Issue type : kbhowto


Last Reviewed: February 2, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.