Writing Secure ASP Code

Obviously, I recommend using NTFS permissions to secure your administrative Web pages. Grant permissions only to administrators that are allowed to use the pages, and completely remove the Everyone group from the permissions. Also, ensure that the Guest group doesn't have permissions. After you've done that, IIS won't allow anyone who isn't authorized to even see the pages, let alone try to execute them.

You can use a couple of other techniques to improve the security of your administrative Web pages. First, authenticate your users. For example, if you've written a script that only members of the Help Desk group should be able to execute, use a function like the one in Listing 23.2.

Listing 23.2. CheckMembership.vbs. This function ensures a user is a member of a particular group.

Function AllowUser(sDomain, sAuthorizedGroup)



 Dim sUserADPath, bLoggedOn

 sUserADPath = "WinNT://" & sDomain & _

  "/" & Request.ServerVariables("LOGON_USER")



 'change backslashes to slashes for ADSI

 sUserADPath = Replace(sUserADPath, "\", "/")



 'get the group

 Set oGroup = GetObject("WinNT://DON-TABLET/" & _

  sAuthorizedGroup & ",group")



 'is the user a member?

 For Each oMember in oGroup.Members

  If LCase(oMember.ADsPath) = LCase(sUserADPath) Then

   bLoggedOn = True

   Exit for

  End If

 Next



 AllowUser = bLoggedOn

End Function

This function accepts a domain name and a group name, and returns True if the current user is a member of that group. Use it as follows.

If Not AllowUser("MyDomain","Help Desk") Then

 Response.Write "You do not have permissions."

 Response.End

End If

Another technique is to check for spoofed form submissions. Whenever a user fills out an HTML form and submits it, the receiving page can check the source of the submission. For administrative scripts, you can check to make sure the form was submitted from the Web page you intended. This prevents hackers from trying to create their own substitute form, inserting bogus values, and submitting the form to the processing page. For example, the following code makes sure that the form was posted from a page named Admin.asp.

If Request.ServerVariables("HTTP_REFERRER") <> _

 "http://myserver/admin.asp" Then

 Response.Write "Unauthorized submission."

 Response.End

End If

One form of IIS attack that's been successful in the past is tricking scripts into writing command code. It's a complex tactic, but easy to defend against. Instead of using Response.Write to create output, use Response.Write Server.HTMLEncode(whatever). By forcing any output to be coded as HTML, you can eliminate most forms of this attack.

Some attacks try to insert special characters into your script's input parameters, causing it to crash or to perform unexpected functions. You can use VBScript's regular expressions capability, along with the Replace() function, to easily strip out these special characters. For example, this script isn't secure.

Dim sUser, sDomain

sUser = Request("UserName")

sDomain = Request("DomainName")

Why is this not secure? Because the values are taken from the Request object and put into variables with no checking. Presumably, those variables are used to control the script's actions, but the variables could contain characters that, especially if output through Response.Write, make IIS perform actions that a user wouldn't ordinarily be able to perform. Instead of moving data directly into variables, consider testing the input data first, to ensure it doesn't contain any suspicious characters. The script in Listing 23.3 illustrates the technique.

Listing 23.3. Checkinput.vbs. Checking input for special characters.

Dim sUser, sDomain

sUser = SafetyCheck(Request("UserName"))

sDomain = SafetyCheck(Request("DomainName"))



Function SafetyCheck(sString)

 Dim o

 Set o = CreateObject("VBScript.RegExp")



 'define bad characters

      Dim sBadChars

      sBadChars = "(<\s*(script|object|applet|embed|form)\s*>)"

      sBadChars = sBadChars & "|" & "(<.*>)"

      sBadChars = sBadChars & "|" & "(&.{1,5};)"

      sBadChars = sBadChars & "|" & "eval\s*\("

      sBadChars = sBadChars & "|" & "(event\s*=)"



      'Remove character encoding

      sBadChars = Replace(sBadChars,"<", "(<|%60|<)")

      sBadChars = Replace(sBadChars,">", "(>|%62|>)")



 'set case and global options

      o.IgnoreCase = True

      o.Global =False



      'insert the bad characters pattern

 o.Pattern = sBadChars



 'test for bad characters

 Dim bValid

 bValid = o.Test(sString)



 'release expression object

      Set o = Nothing



 'if no bad characters, return original string

 'otherwise, return an empty string

 If bValid Then

  SafetyCheck = sString

 Else

  SafetyCheck = ""

 End If



End Function

The SafetyCheck() function returns an empty string if there are any special characters, and returns the original string if it appears to be safe.