Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Classic ASP Databases Discuss using ASP 3 to work with data in databases, including ASP Database Setup issues from the old P2P forum on this specific subtopic. See also the book forum Beginning ASP.NET Databases for questions specific to that book. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Databases section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old July 9th, 2007, 04:23 AM
Registered User
 
Join Date: Nov 2006
Location: , , .
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via Yahoo to hassan1365
Default asp classic website debug

hi,
i have a full asp classic website and it has some cross side script bugs.
i scaned it and it found som errors like this:


Code:
Severity High Affects /search.asp DetailsThe GET variable yider has been set to %3C/xss/*-*/style=xss:e/**/xpression(alert(294762585))%3E. TypeValidation DescriptionThis script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. ImpactMalicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. RecommendationYour script should filter metacharacters from user input. Reported by moduleParameter manipulation References Acunetix Cross Site Scripting Attackhttp://www.acunetix.com/websitesecurity/cross-site-scripting.htm Security Focus - Penetration Testing for Web Applications (Part Two)http://www.securityfocus.com/infocus/1709 The Cross Site Scripting Faqhttp://www.cgisecurity.com/articles/xss-faq.shtml OWASP Cross Site Scriptinghttp://www.owasp.org/index.php/Cross_Site_Scripting XSS Annihilationhttp://ha.ckers.org/blog/20060602/xss-annihilation/ XSS cheat sheethttp://ha.ckers.org/xss.html PHP XSS (cross site scripting) filter functionhttp://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php Cross site scriptinghttp://en.wikipedia.org/wiki/Cross-site_scripting OWASP PHP Top 5http://www.owasp.org/index.php/PHP_Top_5 RequestGET /search.asp?yider=%3C/xss/*-*/style=xss:e/**/xpression(alert(294762585))%3E&btnsearch=%D8%AC%D8%B3%D8%AA%D8%AC%D9%88%20%D8%AF%D8%B1%20%D9%BE%D8%A7%D9%8A%DA%AF%D8%A7%D9%87 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mysite.com
Cookie: ASPSESSIONIDSCASQTQB=CCIBHAOAGBLNHBNPIAGANGCM;Poll=PollID=2;ASP.NET_SessionId=2vn5ue45dygerf550seakc55;__utma=177195445.991742699.1180354728.1180354728.1180354728.1;path=/;expires=Tue, 27 Nov 2007 00:19:34 UTC;domain=acunetix.com;;__utmb=177195445;__utmc=177195445;__utmz=177195445.1180354775.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Connection: Close
Pragma: no-cache
ResponseHTTP/1.1 200 OK
Connection: close
Date: Mon, 28 May 2007 12:40:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 23900
Content-Type: text/html; Charset=utf-8
Cache-control: private
now how can i fix them?
thanks,
M.H.H

M.H.H
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using Buttons In Classic ASP lcrwebmaster Classic ASP Basics 0 July 25th, 2008 10:39 AM
ASP Classic ab289 Classic ASP Basics 6 March 10th, 2008 02:53 PM
Converting Classic Asp to Asp.Net 2.0 vikaspatyal ASP.NET 2.0 Professional 2 October 7th, 2007 06:33 PM
asp.net vs classic asp "URGENT" naeem_ul_hussan Classic ASP Professional 1 August 1st, 2007 03:14 PM
classic asp with asp.net on same iis bostonrose .NET Framework 2.0 6 January 10th, 2007 12:38 PM



All times are GMT -4. The time now is 10:16 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.