feetwet
Reputation: 3446
Safe URL Parameter Validation in ASP
I found the following function to parse and validate URL parameters being used in legacy ASP:
FOR EACH field IN Request.QueryString
var_name = field
var_value = Request.QueryString(field)
var_value = Replace(var_value, "'", "'")
var_value = Replace(var_value,"""",""")
var_value = Replace(var_value, "&", "&")
var_value = Replace(var_value, "%", "%")
str = "Dim " & var_name
EXECUTE(str)
str = var_name & " = var_value"
EXECUTE(str)
NEXT
This doesn't make sense to me, and those two EXECUTE statements seem to be begging for an injection attack (though I have not yet taken the time to construct one).
Is there a more canonical and secure method of parsing a query string for ASP Classic?
Upvotes: 0
Views: 456
Answers (1)
Robert S
Reputation: 496
Instead of storing the values in local variables (i.e. Dim) and exposing yourself to the vulnerabilities of execute, you can could store the values in a Dictionary. You could encode the values taken from the querystring as you add them, but here is the skinny version.
set qs = server.createObject("scripting.dictionary")
for each q in request.querystring
if not qs.exists(q) then qs.add q, request.querystring(q)
next
Upvotes: 1
Related Questions
- How to make Classic ASP querystring parameter not to pass code. Security issue
- Security with QueryString values in Asp.net MVC
- How to protect from tampering of query string?
- Query String unique string generator?
- Saving QueryString to protect URL manipulation
- Handling Potentially Dangerous Query String
- Best way to validate QueryString parameters in c#
- URL Querystring security question (ASP.NET)
- Allowing dangerous query strings
- Validate QueryStrings in ASP.NET