IIS Vulnerabilities

Nanda wrote:

Hi,
Can some please provide me tips on securing the ASP application from
the below vulnerabilities?
· Cross Site Scripting (XSS) Findings
· Cross Site Tracing - Trace Method Enabled
· HTTP Header CRLF Injection (HTTP Response Splitting)

I know that these can be handled on the code level, but since the
application I am working on is a huge and old one, it would be
difficult to start fixing these vulnerabilities at code level. Can
anyone suggest me something like the "ValidateRequest" or handling
user Request object at Global.asax just like in the DotNet world?

There is nothing like that in classic asp. You will need to attack these
things at the code level. Do a google search on these terms and start
reading.

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Hi Bob,

Thanks a lot for the reply. However, as I said the application is huge and
there are many applications that have been running from years together. If I
start modifying the code at this point of time it will surely make things
worse. Does the installation of IIS Lockdown Tool and URL Scan help me in
doing this job?

Thanks,
Nanda

"Bob Barrows [MVP]" wrote:

Nanda wrote:

Hi,
Can some please provide me tips on securing the ASP application from
the below vulnerabilities?
· Cross Site Scripting (XSS) Findings
· Cross Site Tracing - Trace Method Enabled
· HTTP Header CRLF Injection (HTTP Response Splitting)

I know that these can be handled on the code level, but since the
application I am working on is a huge and old one, it would be
difficult to start fixing these vulnerabilities at code level. Can
anyone suggest me something like the "ValidateRequest" or handling
user Request object at Global.asax just like in the DotNet world?

There is nothing like that in classic asp. You will need to attack these
things at the code level. Do a google search on these terms and start
reading.

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Sorry, no, AFAIK, those tools fix other things*. There is no magic bullet.

I'm not so sure things will be made "worse". Many of the coding practices
that make sites vulnerable to these exploits are programming shortcuts that,
while they do help get sites up and running quicker, actually lead to less
efficient, less robust applications.

I believe you're just going to have to bite the bullet on this one.

*I may be wrong about this, so you should get the opinions of the experts
over at .inetserver.iis. If I am wrong, don't be shy about letting me know.
I don't want to be giving bad advice.

Bob Barrows

Nanda wrote:

Hi Bob,

Thanks a lot for the reply. However, as I said the application is
huge and there are many applications that have been running from
years together. If I start modifying the code at this point of time
it will surely make things worse. Does the installation of IIS
Lockdown Tool and URL Scan help me in doing this job?

Thanks,
Nanda

"Bob Barrows [MVP]" wrote:

Nanda wrote:

Hi,
Can some please provide me tips on securing the ASP application from
the below vulnerabilities?
· Cross Site Scripting (XSS) Findings
· Cross Site Tracing - Trace Method Enabled
· HTTP Header CRLF Injection (HTTP Response Splitting)

I know that these can be handled on the code level, but since the
application I am working on is a huge and old one, it would be
difficult to start fixing these vulnerabilities at code level. Can
anyone suggest me something like the "ValidateRequest" or handling
user Request object at Global.asax just like in the DotNet world?

There is nothing like that in classic asp. You will need to attack
these things at the code level. Do a google search on these terms
and start reading.

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so
I don't check it very often. If you must reply off-line, then remove
the "NO SPAM"

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.