Difference between revisions of "Classic ASP Design Mistakes"

From OWASP
Jump to: navigation, search
(ASP Pages Execution Order Issues)
m (Added navigation to facilitate sequential reading online)
 
(11 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{{LinkBar
 +
  | useprev=PrevLink | prev=Leading Java Security Practice | lblprev=
 +
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Leading PHP Security Practice | lblnext=
 +
}}
 +
__TOC__
 +
 
===Overview===
 
===Overview===
There are several issues inherent to classic ASP pages that may lead to security issues, we are talking about beginner mistakes or coed misuse. The following examples will give you a good idea of what is being discussed. All of these examples are based on common findings through experience of ASP testing.
+
There are several issues inherent to classic ASP pages that may lead to security issues. We are talking about beginner mistakes or code misuse. The following examples will give you a good idea of what is being discussed. All of these examples are based on common findings through experience of ASP testing.
  
 
===ASP Pages Execution Order Issues===
 
===ASP Pages Execution Order Issues===
First of all lets explain the processing levels on ASP pages, ASP pages are executed in the following way:
+
ASP pages are executed in the following way:  
  
# '''Server Side Includes'''. first, the interpreter adds to the current file the text of all the files in include sentences and process it as if ti was a single file.
+
# '''Server Side Includes'''. First, the interpreter adds to the current file the text of all the files in include sentences and process it as if it was a single file.  
# '''Server Side VBSCript Code'''. second, the VBScript in <% and %> code is executed.
+
# '''Server Side VBSCript Code'''. Second, the VBScript in <% and %> code is executed.  
# '''Client Side JAvascript/VBScript Code'''. Finally once the page is completelly loaded in the browser, JavaScript code is executed.
+
# '''Client Side JAvascript/VBScript Code'''. Finally, once the page is completely loaded in the browser, JavaScript code is executed.  
  
This might be obvious, however ignoring this order might lead to severe security issues. Here are some examples
+
This might be obvious, however, ignoring this order might lead to severe security issues. Here are some examples.
  
====Wrong dynamic inclusion of files. ====
+
===Wrong dynamic inclusion of files. ===
 
<pre>
 
<pre>
 
  <%
 
  <%
Line 25: Line 32:
 
  %>
 
  %>
 
</pre>
 
</pre>
The previous code will add the content of both files to the ASP page execution as SSI are executed first than ASP code, it is possible that the page is displayed correctly due to the "If" sentence, however all the code will be processed, this might lead to race condition or undesired execution of functions.
+
 
 +
The previous code will add the content of both files to the ASP page; execution as SSI are executed first, then ASP code. It is possible that the page is displayed correctly due to the "If" sentence, however, all the code will be processed; this might lead to race conditions or undesired execution of functions.  
 
 
====HTML and JavaScript comments do not skip execution of ASP code====
+
===HTML and JavaScript comments do not skip execution of ASP code===
 
<pre>
 
<pre>
 
  <!-- <%= "Debug: This is the DB user: " & DBUserName %> -->
 
  <!-- <%= "Debug: This is the DB user: " & DBUserName %> -->
Line 37: Line 45:
 
</pre>
 
</pre>
 
    
 
    
If you are proficient in ASP technology the result of the example above would be clear, however, many developers cannot tell the final output
+
If you are proficient in ASP technology, the result of the example above would be clear, however, many developers cannot tell the final output.
  
 
<pre>
 
<pre>
Line 48: Line 56:
 
</pre>
 
</pre>
  
Above shows that sensitive information the commented out code, is disclosed in HTML or JavaScript comments
+
Above shows that sensitive information in the commented-out code is disclosed in HTML or JavaScript comments.
  
====Using Javascript to drive ASP functionality====  
+
===Using JavaScript to drive ASP functionality===  
Yes, this is not possible, but that is another reason to look for it.
+
Yes, this is not possible, but that is another reason to look for it.  
  
 
<pre>
 
<pre>
Line 68: Line 76:
 
</pre>
 
</pre>
  
The code above shall grant Admin privileges every time to the logged user as, as we saw before, ASP code is executed first. Besides, there is no sharing of variables between JavaScript and ASP code.
+
The code above shall grant Admin privileges every time to the logged user as, as we saw before, ASP code is executed first. Besides, there is no sharing of variables between JavaScript and ASP code.  
  
 
Another example:
 
Another example:
Line 83: Line 91:
 
</pre>
 
</pre>
  
You will always go to Yahoo and will never be displayed with a prompt, code within <% %> is executed first.
+
You will always go to Yahoo and will never be displayed with a prompt; code within <% %> is executed first.
 +
 
 +
===Stopping execution with Response.End===
 +
Lack of this sentence might end up in execution of undesired code.  
  
====Stopping execution with Response.End====
 
Lack of this sentence might end up in execution of undesired code.
 
 
<pre>
 
<pre>
 
  <%
 
  <%
Line 101: Line 110:
 
</pre>
 
</pre>
  
In example above, the "UpdateInformationFunction" is called all the time regardless of the "ValidInfo" variable value as ASP code is executed first than Javascript, so ASP code is executed in server and the output is sent to Browser, then Javascript is executed. That means that is required a '''Response.End''' to stop execution server side.
+
In example above, the "UpdateInformationFunction" is called all the time regardless of the "ValidInfo" variable value, as ASP code is executed first, then JavaScript. ASP code is executed in server and the output is sent to Browser, then JavaScript is executed. That means that is required a '''Response.End''' to stop execution server side.
  
 
==Other Issues==
 
==Other Issues==
====Java classess hosted in MS Java Virtual Machine====
+
====Java classes hosted in MS Java Virtual Machine====
These classes can be called from ASP pages so you should look also for insecure functionality into those classes. This is an example
+
These classes can be called from ASP pages, so you should look also for insecure functionality within such classes. This is an example:
 +
 
 
<pre>
 
<pre>
 
  <html><body>
 
  <html><body>
Line 115: Line 125:
 
</pre>
 
</pre>
  
====Option Explicit====  
+
====Not Using Option Explicit====  
Mis-typed variables might lead to race conditions on business logic. This option will force the user to declare all the used variables, it will add a bit of performance as well.
+
Mistyped variables might lead to race conditions on business logic. This option will force the user to declare all the used variables, and it will add a bit of performance as well.
  
 
====IsClientConnected property====  
 
====IsClientConnected property====  
This property determines if the client has disconnected from the server since the last '''Response.Write'''. This property is particularly useful to prevent the server from continuing execution of long pages after an unexpected disconnect. As you might figured out this is very useful property to avoid DoS attacks to the Server and DB in long execution pages.
+
This property determines if the client has disconnected from the server since the last '''Response.Write'''. This property is particularly useful to prevent the server from continuing execution of long pages after an unexpected disconnect. As you might figured out, this is very useful property to avoid DoS attacks to the Server and DB in long execution pages.  
 +
 
 +
{{LinkBar
 +
  | useprev=PrevLink | prev=Leading Java Security Practice | lblprev=
 +
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Leading PHP Security Practice | lblnext=
 +
}}
 +
 
 +
[[Category:OWASP Code Review Project]]

Latest revision as of 11:46, 9 September 2010

«««« Main
(Table of Contents)
»»»»

Contents


Overview

There are several issues inherent to classic ASP pages that may lead to security issues. We are talking about beginner mistakes or code misuse. The following examples will give you a good idea of what is being discussed. All of these examples are based on common findings through experience of ASP testing.

ASP Pages Execution Order Issues

ASP pages are executed in the following way:

  1. Server Side Includes. First, the interpreter adds to the current file the text of all the files in include sentences and process it as if it was a single file.
  2. Server Side VBSCript Code. Second, the VBScript in <% and %> code is executed.
  3. Client Side JAvascript/VBScript Code. Finally, once the page is completely loaded in the browser, JavaScript code is executed.

This might be obvious, however, ignoring this order might lead to severe security issues. Here are some examples.

Wrong dynamic inclusion of files.

 <%
 If User = "Admin" Then
 %>
 <!--#include file="AdminMenu.inc"-->
 <%
 Else
 %>
 <!--#include file="UserMenu.inc"-->
 <%
 End If
 %>

The previous code will add the content of both files to the ASP page; execution as SSI are executed first, then ASP code. It is possible that the page is displayed correctly due to the "If" sentence, however, all the code will be processed; this might lead to race conditions or undesired execution of functions.

HTML and JavaScript comments do not skip execution of ASP code

 <!-- <%= "Debug: This is the DB user: " & DBUserName %> -->
 <script type="Text/JavaScript">
 var x = 'Hello, ';
 //<%= "Debug: This is the DB password: " & DBUserPassword %>
 alert (x + "Juan");
 </script>

If you are proficient in ASP technology, the result of the example above would be clear, however, many developers cannot tell the final output.

 <!-- Debug: This is the DB user: SA -->
 <script type="Text/JavaScript">
 var x = 'Hello, ';
 //Debug: This is the DB password: Password
 alert (x + "Juan");
 </script>

Above shows that sensitive information in the commented-out code is disclosed in HTML or JavaScript comments.

Using JavaScript to drive ASP functionality

Yes, this is not possible, but that is another reason to look for it.

 <script>
   var name;
   name = prompt ("Enter your UserName:");
   <%  
     If name != "user" Then
       'The user is an admin
       Role = "Admin"
      Else
        Role = "User"
      End IF
   %>
 <script>

The code above shall grant Admin privileges every time to the logged user as, as we saw before, ASP code is executed first. Besides, there is no sharing of variables between JavaScript and ASP code.

Another example:

 <%@ Language=VBScript %>
 <script type="text/javascript">
   if (confirm('go to yahoo?')){
     <% response.redirect "http://www.yahoo.com/" %>
   }else {
     <% response.redirect "http://www.altavista.com/" %>
   }
 </script>

You will always go to Yahoo and will never be displayed with a prompt; code within <% %> is executed first.

Stopping execution with Response.End

Lack of this sentence might end up in execution of undesired code.

 <%
   If Not ValidInfo Then
 %>
 <script>
   alert("Information is invalid");
   location.href="default.asp";
 </script>
 <%
   End if	
   Call UpdateInformationFunction()
 %>

In example above, the "UpdateInformationFunction" is called all the time regardless of the "ValidInfo" variable value, as ASP code is executed first, then JavaScript. ASP code is executed in server and the output is sent to Browser, then JavaScript is executed. That means that is required a Response.End to stop execution server side.

Other Issues

Java classes hosted in MS Java Virtual Machine

These classes can be called from ASP pages, so you should look also for insecure functionality within such classes. This is an example:

 <html><body>
 <% Dim date
   Set date = GetObject("java:java.util.Date")
 %>
 <p> The date is <%= date.toString() %>
 </body></html>

Not Using Option Explicit

Mistyped variables might lead to race conditions on business logic. This option will force the user to declare all the used variables, and it will add a bit of performance as well.

IsClientConnected property

This property determines if the client has disconnected from the server since the last Response.Write. This property is particularly useful to prevent the server from continuing execution of long pages after an unexpected disconnect. As you might figured out, this is very useful property to avoid DoS attacks to the Server and DB in long execution pages.


«««« Main
(Table of Contents)
»»»»