Does anyone use Fortify 360 with Classic ASP? a Header Manipulation vulnerability story

Posted by j_green71 on Stack Overflow See other posts from Stack Overflow or by j_green71
Published on 2009-10-12T14:04:14Z Indexed on 2010/03/28 23:03 UTC
Read the original article Hit count: 718

Good morning, everyone.

I'm on a short-term contracting gig, trying to patch some vulnerabilities in their legacy code. The application I'm working on is a combination of Classic ASP(VBScript) and .Net 2.0 (C#). One of the tools they have purchased is Fortify 360.

Let's say that this is a current classic ASP page in the application:

<%@ Language=VBScript %>
<%
Dim var

var = Request.QueryString("var")
' do stuff
Response.Redirect "nextpage.asp?var=" & var
%>

I know, I know, short and very dangerous.

So we wrote some (en/de)coders and validation/verification routines:

<%@ Language=VBScript %>
<%
Dim var

var = Decode(Request.QueryString("var"))
' do stuff
if isValid(var) then 
    Response.Redirect "nextpage.asp?var=" & Encode(var)
else
   'throw error page
end if
%>

And still Fortify flags this as vulnerable to Header Manipulation. How or what exactly is Fortify looking for?

The reason I suspect that Fortify is looking for specific key words is that on the .Net side of things, I can include the Microsoft AntiXss assembly and call functions such as GetSafeHtmlFragment and UrlEncode and Fortify is happy.

Any advice?

© Stack Overflow or respective owner

Related posts about asp-classic

Related posts about header