Reputation: 261
Classic ASP -- Protect Against HTTP Header Injection
I'm trying to protect a Classic ASP web application from HTTP Header Injected XSS attacks and am having trouble finding a solution that stops scripts found in the User Agent String.
Here is an example HTTP request to the web application:
HTTP Request GET /WebApp/Login.aspx HTTP/1.1 Host: WebServer.Webapp.Com User‐Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0**alert(1)** Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept‐Language: en‐US,en;q=0.5 Accept‐Encoding: gzip, deflate Cookie: ASP.NET_SessionId=foobarID Connection: keep‐alive
Basically what we're trying to do is keep that alert script in the User Agent String from firing off when the page is loaded. I've been doing a lot of research and haven't been able to find too much help for this old app. We do have validateRequest and EnableHeaderChecking set to true, But this script still executes. Any help is really appreciated.
Upvotes: 3
Views: 1642
Answers (1)
Reputation: 261
The issue was from the user agent string (with the malicious script) being rendered on the page at the bottom for debug purposes. If you're having this issue, please check that you aren't displaying the object with the bad script on the page.
If you are, than remember to use HTML Encoding to render it safely.
Thanks to the_lotus and Lankymart for the quick answers.
Upvotes: 3
Related Questions
- Is EnableHeaderChecking=true enough to prevent Http Header Injection attacks?
- Anti XSS and Classic ASP
- Add security headers to help protection from injection attacks in c# asp.net
- XSS Attack prevention in C#
- Asp.net prevent HTML injection?
- Securing http headers
- Classic ASP: ServerVariables["HTTP_HOST"] forging
- Classic ASP Cross-Site Scripting
- XSS mitigation in HTML/VBScript/Classic ASP
- http headers in asp.net