Tutorial :Anti XSS and Classic ASP



Question:

I'm currently trying to secure my classic ASP application from XSS. I came across the AntiXSS from Microsoft on the net and I was wondering if this would work with a classic application?

If not do you have any ideas how I could go about sanitizing the strings?


Solution:1

To sanitize strings I would HTML encode all output, that way you don't have to dink around with special characters or huge regex expressions

Server.HTMLEncode(string)   

The two most important countermeasures to prevent cross-site scripting attacks are to:

  • Constrain input.
  • Encode output.

via How To: Prevent Cross-Site Scripting in ASP.NET (i know i'ts not classic asp but there are similar principals)


Solution:2

When functions don't exist in classic ASP, write them.


Solution:3

If you do have to allow certain HTML tags (as I do in my current project), you can use a regex to allow only those tags and no others, like so:

set objRegExp = new RegExp  with objRegExp      .Pattern = "<^((b)|(i)|(em)|(strong)|(br))>.*</.*>"      .IgnoreCase = varIgnoreCase      .Global = True  end with  cleanString = objRegExp.replace(originalString, "")  


Solution:4

Not easily - you'd need to make a COM-callable wrapper, install on the servers, etc. I simply don't think it is a suitable fit for "classic" ASP.


Solution:5

<%   Response.AddHeader "X-XSS-Protection", "1"   %>  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »