![]() |
Table of Contents |
![]() |
Writing Secure ASP CodeObviously, I recommend using NTFS permissions to secure your administrative Web pages. Grant permissions only to administrators that are allowed to use the pages, and completely remove the Everyone group from the permissions. Also, ensure that the Guest group doesn't have permissions. After you've done that, IIS won't allow anyone who isn't authorized to even see the pages, let alone try to execute them. You can use a couple of other techniques to improve the security of your administrative Web pages. First, authenticate your users. For example, if you've written a script that only members of the Help Desk group should be able to execute, use a function like the one in Listing 23.2. Listing 23.2. CheckMembership.vbs. This function ensures a user is a member of a particular group.Function AllowUser(sDomain, sAuthorizedGroup) Dim sUserADPath, bLoggedOn sUserADPath = "WinNT://" & sDomain & _ "/" & Request.ServerVariables("LOGON_USER") 'change backslashes to slashes for ADSI sUserADPath = Replace(sUserADPath, "\", "/") 'get the group Set oGroup = GetObject("WinNT://DON-TABLET/" & _ sAuthorizedGroup & ",group") 'is the user a member? For Each oMember in oGroup.Members If LCase(oMember.ADsPath) = LCase(sUserADPath) Then bLoggedOn = True Exit for End If Next AllowUser = bLoggedOn End Function This function accepts a domain name and a group name, and returns True if the current user is a member of that group. Use it as follows. If Not AllowUser("MyDomain","Help Desk") Then Response.Write "You do not have permissions." Response.End End If Another technique is to check for spoofed form submissions. Whenever a user fills out an HTML form and submits it, the receiving page can check the source of the submission. For administrative scripts, you can check to make sure the form was submitted from the Web page you intended. This prevents hackers from trying to create their own substitute form, inserting bogus values, and submitting the form to the processing page. For example, the following code makes sure that the form was posted from a page named Admin.asp. If Request.ServerVariables("HTTP_REFERRER") <> _ "http://myserver/admin.asp" Then Response.Write "Unauthorized submission." Response.End End If One form of IIS attack that's been successful in the past is tricking scripts into writing command code. It's a complex tactic, but easy to defend against. Instead of using Response.Write to create output, use Response.Write Server.HTMLEncode(whatever). By forcing any output to be coded as HTML, you can eliminate most forms of this attack. Some attacks try to insert special characters into your script's input parameters, causing it to crash or to perform unexpected functions. You can use VBScript's regular expressions capability, along with the Replace() function, to easily strip out these special characters. For example, this script isn't secure. Dim sUser, sDomain sUser = Request("UserName") sDomain = Request("DomainName") Why is this not secure? Because the values are taken from the Request object and put into variables with no checking. Presumably, those variables are used to control the script's actions, but the variables could contain characters that, especially if output through Response.Write, make IIS perform actions that a user wouldn't ordinarily be able to perform. Instead of moving data directly into variables, consider testing the input data first, to ensure it doesn't contain any suspicious characters. The script in Listing 23.3 illustrates the technique. Listing 23.3. Checkinput.vbs. Checking input for special characters.Dim sUser, sDomain sUser = SafetyCheck(Request("UserName")) sDomain = SafetyCheck(Request("DomainName")) Function SafetyCheck(sString) Dim o Set o = CreateObject("VBScript.RegExp") 'define bad characters Dim sBadChars sBadChars = "(<\s*(script|object|applet|embed|form)\s*>)" sBadChars = sBadChars & "|" & "(<.*>)" sBadChars = sBadChars & "|" & "(&.{1,5};)" sBadChars = sBadChars & "|" & "eval\s*\(" sBadChars = sBadChars & "|" & "(event\s*=)" 'Remove character encoding sBadChars = Replace(sBadChars,"<", "(<|%60|<)") sBadChars = Replace(sBadChars,">", "(>|%62|>)") 'set case and global options o.IgnoreCase = True o.Global =False 'insert the bad characters pattern o.Pattern = sBadChars 'test for bad characters Dim bValid bValid = o.Test(sString) 'release expression object Set o = Nothing 'if no bad characters, return original string 'otherwise, return an empty string If bValid Then SafetyCheck = sString Else SafetyCheck = "" End If End Function The SafetyCheck() function returns an empty string if there are any special characters, and returns the original string if it appears to be safe. NOTE VBScript regular expressions are beyond the scope of this chapter, but you can read more about them in the VBScript documentation. They provide a powerful way to search, match, and manipulate strings, beyond VBScript's built-in string-handling functions. |
![]() |
Table of Contents |
![]() |