Classic ASP Design Mistakes
- 1 Overview
- 2 ASP Pages Execution Order Issues
- 3 Wrong dynamic inclusion of files.
- 6 Stopping execution with Response.End
- 7 Other Issues
There are several issues inherent to classic ASP pages that may lead to security issues. We are talking about beginner mistakes or code misuse. The following examples will give you a good idea of what is being discussed. All of these examples are based on common findings through experience of ASP testing.
ASP Pages Execution Order Issues
First of all let's explain the processing levels on ASP pages. ASP pages are executed in the following way:
- Server Side Includes. First, the interpreter adds to the current file the text of all the files in include sentences and process it as if it was a single file.
- Server Side VBSCript Code. Second, the VBScript in <% and %> code is executed.
This might be obvious, however ignoring this order might lead to severe security issues. Here are some examples.
Wrong dynamic inclusion of files.
<% If User = "Admin" Then %> <!--#include file="AdminMenu.inc"--> <% Else %> <!--#include file="UserMenu.inc"--> <% End If %>
The previous code will add the content of both files to the ASP page; execution as SSI are executed first, then ASP code. It is possible that the page is displayed correctly due to the "If" sentence, however, all the code will be processed; this might lead to race conditions or undesired execution of functions.
If you are proficient in ASP technology, the result of the example above would be clear, however, many developers cannot tell the final output.
Yes, this is not possible, but that is another reason to look for it.
<script> var name; name = prompt ("Enter your UserName:"); <% If name != "user" Then 'The user is an admin Role = "Admin" Else Role = "User" End IF %> <script>
You will always go to Yahoo and will never be displayed with a prompt; code within <% %> is executed first.
Stopping execution with Response.End
Lack of this sentence might end up in execution of undesired code.
<% If Not ValidInfo Then %> <script> alert("Information is invalid"); location.href="default.asp"; </script> <% End if Call UpdateInformationFunction() %>
Java classes hosted in MS Java Virtual Machine
These classes can be called from ASP pages, so you should look also for insecure functionality within such classes. This is an example:
<html><body> <% Dim date Set date = GetObject("java:java.util.Date") %> <p> The date is <%= date.toString() %> </body></html>
Not Using Option Explicit
Mistyped variables might lead to race conditions on business logic. This option will force the user to declare all the used variables, and it will add a bit of performance as well.
This property determines if the client has disconnected from the server since the last Response.Write. This property is particularly useful to prevent the server from continuing execution of long pages after an unexpected disconnect. As you might figured out this is very useful property to avoid DoS attacks to the Server and DB in long execution pages.