Wrox Programmer Forums
Classic ASP Databases Discuss using ASP 3 to work with data in databases, including ASP Database Setup issues from the old P2P forum on this specific subtopic. See also the book forum Beginning ASP.NET Databases for questions specific to that book. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Databases section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
Old July 9th, 2007, 04:23 AM
Registered User
Join Date: Nov 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via Yahoo to hassan1365
Default asp classic website debug

i have a full asp classic website and it has some cross side script bugs.
i scaned it and it found som errors like this:

Severity High Affects /search.asp DetailsThe GET variable yider has been set to %3C/xss/*-*/style=xss:e/**/xpression(alert(294762585))%3E. TypeValidation DescriptionThis script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. ImpactMalicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. RecommendationYour script should filter metacharacters from user input. Reported by moduleParameter manipulation References Acunetix Cross Site Scripting Attackhttp://www.acunetix.com/websitesecurity/cross-site-scripting.htm Security Focus - Penetration Testing for Web Applications (Part Two)http://www.securityfocus.com/infocus/1709 The Cross Site Scripting Faqhttp://www.cgisecurity.com/articles/xss-faq.shtml OWASP Cross Site Scriptinghttp://www.owasp.org/index.php/Cross_Site_Scripting XSS Annihilationhttp://ha.ckers.org/blog/20060602/xss-annihilation/ XSS cheat sheethttp://ha.ckers.org/xss.html PHP XSS (cross site scripting) filter functionhttp://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php Cross site scriptinghttp://en.wikipedia.org/wiki/Cross-site_scripting OWASP PHP Top 5http://www.owasp.org/index.php/PHP_Top_5 RequestGET /search.asp?yider=%3C/xss/*-*/style=xss:e/**/xpression(alert(294762585))%3E&btnsearch=%D8%AC%D8%B3%D8%AA%D8%AC%D9%88%20%D8%AF%D8%B1%20%D9%BE%D8%A7%D9%8A%DA%AF%D8%A7%D9%87 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mysite.com
Cookie: ASPSESSIONIDSCASQTQB=CCIBHAOAGBLNHBNPIAGANGCM;Poll=PollID=2;ASP.NET_SessionId=2vn5ue45dygerf550seakc55;__utma=177195445.991742699.1180354728.1180354728.1180354728.1;path=/;expires=Tue, 27 Nov 2007 00:19:34 UTC;domain=acunetix.com;;__utmb=177195445;__utmc=177195445;__utmz=177195445.1180354775.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Connection: Close
Pragma: no-cache
ResponseHTTP/1.1 200 OK
Connection: close
Date: Mon, 28 May 2007 12:40:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 23900
Content-Type: text/html; Charset=utf-8
Cache-control: private
now how can i fix them?


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using Buttons In Classic ASP lcrwebmaster Classic ASP Basics 0 July 25th, 2008 10:39 AM
ASP Classic ab289 Classic ASP Basics 6 March 10th, 2008 02:53 PM
Converting Classic Asp to Asp.Net 2.0 vikaspatyal ASP.NET 2.0 Professional 2 October 7th, 2007 06:33 PM
asp.net vs classic asp "URGENT" naeem_ul_hussan Classic ASP Professional 1 August 1st, 2007 03:14 PM
classic asp with asp.net on same iis bostonrose .NET Framework 2.0 6 January 10th, 2007 12:38 PM

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.