Classic ASP Security Project
|Project Name||OWASP Classic ASP Security Project|
|Short Project Description||This project aims to create a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries. More specifically:
|Project key Information||Project Leader
Juan Carlos Calderon
Creative Commons Attribution Share Alike 3.0
OWASP SoC 08
|Release Status||Main Links||Related Projects|
Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place” and continue spreading the word on security. I have always be a passionate of the technology (regardless of its inconveniences such as being old and DLL-hell prone) and I am really exited on the idea of sharing my knowledge of this area to the world and what best that though OWASP.
Create a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries.
Deliverables and Progress
||Done - March 16th, 2009|
||Done - Jun 8, 2008|
||Done - Jun 12, 2008|
||Done - Aug 3rd, 2008|
||Done - Aug 7th, 2008|
Installing and Using the Software
Stinger 1.0 for Classic ASP is implemented in pure VBScript code, thus there is no need to install any software other than MSXML (you usually you have it as part of IE) in order for it to work given that it has extensive use of XML.
- Unzip StingerASP1.0.zip
- Start creating rule files on the
/rulesfolder named after your files. For example, you would create a
Default.svdl.asprules file for your
- Include the
Stinger.asppage in your
- Instantiate Stringer class and call the validate method
I strongly recommend you see the example
default.asp page included in the zip file it is very self explanatory. Also the
Default.svdl.asp include examples of how to create rules for input fields.
Notice: If you make use of complex dynamic pages with variable number of fields you can use Programatic rules to handle the different scenarios you are handling in the single page. You will see an example of it in the comments into the
default.asp sample page.
Classic ASP for ESAPI uses a modified version of ESAPI for .NET as a baseline (thus you will need .NET 2.0 to run it) for some important operations that would be hard or impossible to implement, like encryption, using pure VBScript. So here are the steps for it to work:
- Unzip OWASP_Classic_ASP_ESAPI.zip
- Open the
Owasp.Esapi.csprojproject with Visual Studio 2005 or ahead and compile it (notice you will be requested a password, that password is on a
OWASP_Key_Pass.txttext file on the main folder. Also notice the password is not used for security reasons, but only to avoid conflicts of versions on the DLLs)
- Once that you compiled the project successfully it will register itself to be used and the default.asp page should work fine.
All the methods implemented in the default.asp are fully implemented and are usable, unless otherwise is explained in the default.asp page.
'Notice that although I tested the software created as part of this project, It might be not stable enough for production so I recommend you to make additional and extensive testing before deploying, at least until the project reaches release level
Let me know about any issue you face so I can improve the implementation, a Google code repository will be available soon.