Does anyone use Fortify 360 with Classic ASP? a Header Manipulation vulnerability story

Posted by j_green71 on Stack Overflow See other posts from Stack Overflow or by j_green71
Published on 2009-10-12T14:04:14Z Indexed on 2010/03/28 23:03 UTC
Read the original article Hit count: 682

Filed under:

asp-classic

|

header

|

antixsslibrary

|

fortify360

|

fortify-software

Good morning, everyone.

I'm on a short-term contracting gig, trying to patch some vulnerabilities in their legacy code. The application I'm working on is a combination of Classic ASP(VBScript) and .Net 2.0 (C#). One of the tools they have purchased is Fortify 360.

Let's say that this is a current classic ASP page in the application:

<%@ Language=VBScript %>
<%
Dim var

var = Request.QueryString("var")
' do stuff
Response.Redirect "nextpage.asp?var=" & var
%>

I know, I know, short and very dangerous.

So we wrote some (en/de)coders and validation/verification routines:

<%@ Language=VBScript %>
<%
Dim var

var = Decode(Request.QueryString("var"))
' do stuff
if isValid(var) then 
    Response.Redirect "nextpage.asp?var=" & Encode(var)
else
   'throw error page
end if
%>

And still Fortify flags this as vulnerable to Header Manipulation. How or what exactly is Fortify looking for?

The reason I suspect that Fortify is looking for specific key words is that on the .Net side of things, I can include the Microsoft AntiXss assembly and call functions such as GetSafeHtmlFragment and UrlEncode and Fortify is happy.

Any advice?

© Stack Overflow or respective owner

Related posts about asp-classic

Looping through an array and calling a function on each pass in v-basic / asp classic

as seen on Stack Overflow - Search for 'Stack Overflow'
How do I loop through an array and call a function on each pass? At the minute I'm trying the following... if Request.Form("authorize") <> "" then dim post_ids, ids post_ids = Request.form("authorize") ids = split(post_ids, ",") For i = LBound(ids) to UBound(ids) … >>> More
ASP Classic Session Variable Not Always Getting Set

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a classic ASP site I'm maintaining and recently we wanted to do special rendering actions if the visitor was coming from one specific set of websites. So in the page where those visitors have to come through to get to our site, I put a simple line setting a session variable: <!-- #include… >>> More
ASP Classic page quit working

as seen on Stack Overflow - Search for 'Stack Overflow'
I've had a set of legacy pages running on my IIS7 server for at least a year. Sometime last week something changed and now this line: Response.Write CStr(myRS(0).name) & "=" & Cstr(myRS(0).value) which used to return nothing more exciting than the string: 'Updated=true' (the sproc processing… >>> More
in visual studio 2008, when I stop debugging an asp classic website visual studio always crashes

as seen on Stack Overflow - Search for 'Stack Overflow'
We are running visual studio 2008 (with the service pack) and having troubles when we are debugging an asp classic website. We can attach to the w3p process and debug just fine. breakpoints work, we can view variable values. The difficulty arises when it comes time to detach or stop the debugger… >>> More
HTML to PDF conversion from hosted ASP classic?

as seen on Stack Overflow - Search for 'Stack Overflow'
I need to convert HTML to PDF on the fly from a hosted ASP classic page. WkHtmlToPDF is great, but unfortunately requires installation on the server which is not possible in this case. Is there something out there that would do this? >>> More

Related posts about header

Gridview header issue: call event on header

as seen on Stack Overflow - Search for 'Stack Overflow'
Now I got this gridview, And I need the headers to be clickable, whereafter an event starts (something like OnClickHeader="header_ClickEvent"?) Ofcourse there is a SortExpression element, which enables to sort the grid, but I want to be able to start any event, like when clicking a button. I could… >>> More
Menu widget - no jQuery nor Javascript required - pure CSS

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Goal: Create a menu widget that does not require any javascript, extremely lightweight, very fast, soley based on CSS, compatible with FireFox and Chrome. Issues: May have some rendering issues in some versions of IE, sorry :-) Instruments: css file html with specific menu format … >>> More
Linux Exim set return-path header automaticly using from header

as seen on Server Fault - Search for 'Server Fault'
Hello, I use Exim on a Centos distribution and have some problems with the mail sending. In order to make all the email pass the spam filters the "Return-path" and "Sender" headers have to be attached to each email. What should I do in order to have "Return-path" and "Sender" headers added by… >>> More
Constructing radiotap header and ieee80211 header structures for packet injection

as seen on Super User - Search for 'Super User'
I am trying to communicate between two laptop machines using Wifi. The structure of the radiotap header and ieee80211 header I am using is: struct ieee80211_radiotap_header { unsigned char it_version; uint16_t it_len; uint32_t it_present; }; /* Structure for 80211 header */ struct ieee80211_hdr_3addr… >>> More
ASP.NET GridView second header row to span main header row

as seen on Stack Overflow - Search for 'Stack Overflow'
I have an ASP.NET GridView which has columns that look like this: | Foo | Bar | Total1 | Total2 | Total3 | Is it possible to create a header on two rows that looks like this? | | Totals | | Foo | Bar | 1 | 2 | 3 | The data in each row will remain unchanged as this is just to… >>> More