Classic ASP Design Mistakes

Overview
There are several issues inherent to classic ASP pages that may lead to security issues, we are talking about beginner mistakes or confuse code. The following examples will give you a good idea of what I am talking about :). All of these examples are based on my experience on ASP testing.
 * Author: Juan Carlos Calderon

ASP Pages Execution Order Issues
First of all I want to explain the processing levels on ASP pages, ASP pages are executed in the following way:


 * 1) Server Side Includes. first, the interpreter adds to the current file the text of all the files in include sentences and process it as if ti was a single file.
 * 2) Server Side VBSCript Code. second, the VBScript in <% and %> code is executed.
 * 3) Client Side JAvascript/VBScript Code. Finally once the page is completelly loaded in the browser, JavaScript code is executed.

This might be obvious, however ignoring this 3 single bullets might lead to severe security issues. Here are some examples

Wrong dynamic inclusion of files.
<% If User = "Admin" Then %> <% Else %> <% End If %> The previous code will add the content of both files to the ASP page execution as SSI are executed first than ASP code, it is possible that the page is displayed correctly due to the "If" sentence, however all the code will be processed, this might lead to race condition or undesired execution of functions.

HTML and JavaScript comments do not skip execution of ASP code
 var x = 'Hello, '; //<%= "Debug: This is the DB password: " & DBUserPassword %> alert (x + "Juan"); If you a proficient in ASP technology it will be clear for you the result of the previous code, however, many developers cannot tell the final output  var x = 'Hello, '; //Debug: This is the DB password: Password alert (x + "Juan"); That means that sensitive information is disclosed in HTML or JavaScript comments

Using Javascript to drive ASP functionality
Yes this is not possible, but that is another reason to look for it. var name; name = prompt ("Enter your User:"); <%      If name != "user" Then 'The user is an admin Role = "Admin" Else Role = "User" End IF  %>

The previous code will all the time give Admin privileges to the logged user as, as we saw before, ASP code is executed first. Besides, there is no sharing of variables between JavaScript and ASP code.

Here is another example <%@ Language=VBScript %>  if (confirm('go to yahoo?')){ <% response.redirect "http://www.yahoo.com/" %> }else { <% response.redirect "http://www.altavista.com/" %> }

You will always go to Yahoo and will never be displayed with a prompt.

Stopping execution with Response.End
Lack of this sentence might end up in execution of undesired code. <%  If Not ValidInfo Then %>  alert("Information is invalid"); location.href="default.asp"; <%  End if Call UpdateInformationFunction %>

In the previous example the "UpdateInformationFunction" is called all the time regardless of the "ValidInfo" variable value as ASP code is executed first than Javascript, so ASP code is executed in server and the output is sent to Browser, then Javascript is executed. That means that is required a Response.End to stop execution server side.

Java classess hosted in MS Java Virtual Machine
These classes can be called from ASP pages so you should look also for insecure functionality into those classes. This is an example <% Dim date Set date = GetObject("java:java.util.Date") %> The date is <%= date.toString %>

Option Explicit
Mis-typed variables might lead to race conditions on business logic. This option will force the user to declare all the used variables, it will add a bit of performance as well.

IsClientConnected property
This property determines if the client has disconnected from the server since the last Response.Write. This property is particularly useful to prevent the server from continuing execution of long pages after an unexpected disconnect. As you might figured out this is very useful property to avoid DoS attacks to the Server and DB in long execution pages.