Classic ASP :: Cross-Site Scripting (XSS) Poor Validation Issue

Question

For a legacy Classic ASP application, I am supposed to remove all security attack issues. Currently, DB contains data which is already encoded and there will be no more Insert/update operations. Only select operations from now on wards.

I am able to remove SQL Injection and few other security issues, but, unable to remove

Cross Site Scripting (XSS) : Poor Validation Issue

This became bottle neck for delivery of the project.

Could anybody help me on this.

Example: My data in DB as following.

One Cell Sample Data (Korean and English Char)

1..&nbsp;Rupture&nbsp;disc&nbsp;설치&nbsp;관련&nbsp;필요&nbsp;자재&nbsp;List<BR>──────────────────────────────────────<BR>&nbsp;&nbsp;&nbsp;No 필요&nbsp;자재 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;재질 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;비&nbsp;고 <BR>──────────────────────────────────────<BR>&nbsp;&nbsp;&nbsp;1 inlet&nbsp;isolation&nbsp;valve,&nbsp;8" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Hast&nbsp;C276 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;기존&nbsp;재고&nbsp;사용 <BR>&nbsp;&nbsp;&nbsp;2 RD&nbsp;holder&nbsp;inlet/outlet &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Hast&nbsp;C276&nbsp;/&nbsp;316L&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;신규&nbsp;구매 <BR>&nbsp;&nbsp;&nbsp;3 Rupture&nbsp;Disc &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Hast&nbsp;C276 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;신규&nbsp;구매 <BR>&nbsp;&nbsp;&nbsp;4 SV&nbsp;outlet&nbsp;isolation&nbsp;valve,&nbsp;10"&nbsp;&nbsp;&nbsp;SUS&nbsp;316L &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;신규&nbsp;구매 <BR>──────────────────────────────────────<BR><BR>2.&nbsp;Rupture&nbsp;Disc&nbsp;Specification<BR>&nbsp;&nbsp;1)&nbsp;Rupture&nbsp;design&nbsp;press  :&nbsp;4kg/cm2<BR>&nbsp;&nbsp;2)&nbsp;Design&nbsp;temperature  :&nbsp;100℃<BR>&nbsp;&nbsp;3)&nbsp;Rupture&nbsp;press&nbsp;tolerance&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;±&nbsp;5%<BR>&nbsp;&nbsp;4)&nbsp;Manufacturing&nbsp;range  :&nbsp;+&nbsp;0%,&nbsp;&nbsp;&nbsp;-&nbsp;10%<BR>&nbsp;&nbsp;5)&nbsp;Material&nbsp;spec   :&nbsp;M1,&nbsp;M4,&nbsp;C31<BR>&nbsp;&nbsp;6)&nbsp;Max.&nbsp;allowable&nbsp;oper&nbsp;press &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;3.2kg/cm2&nbsp;(at&nbsp;100℃)<BR><BR>3.&nbsp;Rupture&nbsp;Disc&nbsp;spec&nbsp;선정&nbsp;기준<BR>&nbsp;&nbsp;.&nbsp;Code,&nbsp;&nbsp;Standard&nbsp;=&nbsp;API&nbsp;520,&nbsp;&nbsp;ASME&nbsp;VIII<BR>&nbsp;&nbsp;.&nbsp;Required&nbsp;Burst&nbsp;Pressure&nbsp;=&nbsp;Vessel&nbsp;Design&nbsp;Pressure<BR>&nbsp;&nbsp;.&nbsp;Manufacturing&nbsp;range(+0%&nbsp;∼&nbsp;-10%)&nbsp;of&nbsp;Required&nbsp;Burst&nbsp;Pressure<BR>&nbsp;&nbsp;.&nbsp;Rupture&nbsp;Pressure&nbsp;Tolerance&nbsp;+5%,&nbsp;-5%&nbsp;of&nbsp;Stamped&nbsp;Burst&nbsp;Pressure<BR>&nbsp;&nbsp;.&nbsp;Specified&nbsp;Disc&nbsp;Temperature&nbsp;=&nbsp;Actual&nbsp;Temperature&nbsp;of&nbsp;Disc&nbsp;in&nbsp;Operation&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;→&nbsp;usually&nbsp;lower&nbsp;at&nbsp;disc&nbsp;than&nbsp;in&nbsp;liquid&nbsp;phase&nbsp;of&nbsp;vessel&nbsp;&nbsp;<BR><BR>4.&nbsp;Rupture&nbsp;Disk&nbsp;전단&nbsp;및&nbsp;SV2209&nbsp;후단&nbsp;Isolation&nbsp;valve는&nbsp;CSO(CAR&nbsp;SEAL&nbsp;OPEN)&nbsp;.<BR><BR>5.&nbsp;Rupture&nbsp;Disk&nbsp;후단에&nbsp;PG2209를&nbsp;설치하여&nbsp;운전&nbsp;중&nbsp;Rupture&nbsp;disk&nbsp;파손&nbsp;여부&nbsp;확인&nbsp;가능토록&nbsp;함.<BR>

I am displaying above cell data as follows:

Sample Page:

<!-- #include file="INCLUDES/HTMLDecode.inc" -->
.
.
.
<HTML>
.
.
.
sampledata = rs("sampledata")
.
.
.
<TD><%= ClearForAttack(sampledata) =%></TD>
.
.
.
</HTML>

The above functions defined as follows :

User Defined Functions:

    <%
    Function HTMLDecode(sText)
        Dim I
        sText = Replace(sText, "&quot;", Chr(34))
        sText = Replace(sText, "&lt;"  , Chr(60))
        sText = Replace(sText, "&gt;"  , Chr(62))
        sText = Replace(sText, "&amp;" , Chr(38))
        sText = Replace(sText, "&nbsp;", Chr(32))
        For I = 1 to 255
            sText = Replace(sText, "&#" & I & ";", Chr(I))
        Next
        HTMLDecode = sText
    End Function
    %>
    <%
    Function ClearForAttack(pStrValue)
        if len(pStrValue)>0 then
            pStrValue = HTMLDecode(Server.HTMLEncode(pStrValue))
            pStrValue = replace(pStrValue,"'","")
            pStrValue = replace(pStrValue,"`","")
            pStrValue = replace(pStrValue,"%","")
            pStrValue = replace(pStrValue,"<","&lt;")
            pStrValue = replace(pStrValue,">","&gt;")
        else
            pStrValue = ""
        end if
        ClearForAttack = pStrValue
    End Function
    %>

To display already encoded data I am using both HTMLDecode and HTMLEncode Functions

Please EDIT functions or suggest me another approach.

Your help or suggestions are highly appreciated.

Thanks in advance.

Answer 1

As stated, simply sanitise the post/query string data all data from user input and the database alike. You can try a number of methods including Server.HTMLEncode.

If you need to extend this to cover database fields, then you're going to need to perform some kind of search and replace on < and >, replacing them with < and > respectively.

There are some problems with XSS. You may want to read this first.

Answer 2

The Server.HTMLEncode sanitizes the query. You need to run a validation process to satisfy the poor validation. There is a simple "blacklist" program that you can change to suit your needs. check http://blogs.iis.net/nazim/filtering-sql-injection-from-classic-asp or Validation for Form and QueryString in ASP Classic using Regex. Almost working but missing something?. Once incorporated, should remove most of poor validation.