Does anyone use Fortify 360 with Classic ASP? a Header Manipulation vulnerability story
- by j_green71
Good morning, everyone.
I'm on a short-term contracting gig, trying to patch some vulnerabilities in their legacy code. The application I'm working on is a combination of Classic ASP(VBScript) and .Net 2.0 (C#). One of the tools they have purchased is Fortify 360.
Let's say that this is a current classic ASP page in the application:
<%@ Language=VBScript %>
<%
Dim var
var = Request.QueryString("var")
' do stuff
Response.Redirect "nextpage.asp?var=" & var
%>
I know, I know, short and very dangerous.
So we wrote some (en/de)coders and validation/verification routines:
<%@ Language=VBScript %>
<%
Dim var
var = Decode(Request.QueryString("var"))
' do stuff
if isValid(var) then
Response.Redirect "nextpage.asp?var=" & Encode(var)
else
'throw error page
end if
%>
And still Fortify flags this as vulnerable to Header Manipulation. How or what exactly is Fortify looking for?
The reason I suspect that Fortify is looking for specific key words is that on the .Net side of things, I can include the Microsoft AntiXss assembly and call functions such as GetSafeHtmlFragment and UrlEncode and Fortify is happy.
Any advice?