Checklist: ASP Security

The following is a list of issues to keep in mind when you are developing Web pages using ASP:

Step Reference
Check box Never trust user input to be of an appropriate size or contain appropriate characters. Always verify user input before using it to make decisions. The best option is to create a COM+ component which you can call from an ASP page to verify user input. You can also use the Server.HTMLEncode method, the Server.URLEncode method, or one of the code examples at the bottom of this page. See Writing Secure Code.
Check box Do not create database connection strings in an ASP page by concatenating strings of user input together. A malicious attacker can inject code in their input to gain access to your database. If you are using a SQL database, use stored procedures for creating database connection strings. See Writing Secure Code.
Check box Do not use the default SQL administrator account name, sa. Everyone who uses SQL knows that the sa account exists. Create a different SQL administrative account with a strong password and delete the sa account. See "Passwords" in Windows Help.
Check box Before you store client user passwords, hash them, base64 encode them, or use Server.HTMLEncode or Server.URLEncode to encode them. You can also use one of the code examples at the bottom of this page to verify the characters in the client's password. See "Encrypting File System" in Windows Help.
Check box Do not put administrative account names or passwords in administration scripts or ASP pages.
Check box Do not make decisions in your code based on request headers because header data can be fabricated by a malicious user. Before using request data, always encode it or use one of the code examples below to verify the characters it contains. See Writing Secure Code.
Check box Do not store secure data in cookies or hidden input fields in your Web pages. See Writing Secure Code.
Check box Always use Secure Sockets Layer (SSL) for session-based applications so that you never risk sending session cookies without encrypting them. If session cookies are not encrypted, a malicious user can use a session cookie from one application to gain entry to another application that resides in the same process as the first application. See the topics titled "Secure Sockets Layer (SSL)" and "Encryption" in IIS Help, which is accessible from IIS Manager.
Check box When writing ISAPI applications, filters, or COM+ objects, watch out for buffer over-runs caused by assuming sizes of variables and data. Also watch out for canonicalization issues that can be caused by interpreting things like absolute path names or URLs as relative path names or URLs. See Writing Secure Code.
Check box When you switch an ASP application from running in Single Threaded Apartment (STA) to Multi-Threaded Apartment (MTA) (or from MTA to STA), the impersonation token becomes obsolete. This can cause the application to run with no impersonation, effectively letting it run with the identity of the process which might allow access to other resources. If you must switch threading models, disable the application and unload it before you make the change. See COM+ Services, and see "Configuring Applications to use COM+ Services" in IIS Help, which is accessible from IIS Manager.
Code Example

This code example includes a function that removes potentially harmful characters from a string that is sent to the function. In both examples above, the code page is specified to ensure proper encoding. The first example is in VBScript:

  <%@ LANGUAGE="VBScript" %>
<%
  Response.CodePage = 1252
  Response.Write("Hello, " & RemoveBadCharacters(Request.Form("UserName")))
  Response.Write("<BR>This is why you received an error:")

  Function RemoveBadCharacters(strTemp)
    Dim regEx
    Set regEx = New RegExp
    regEx.Pattern = "[^\s\w]"
    regEx.Global = True
    RemoveBadCharacters = regEx.Replace(strTemp, "")
  End Function
%>

The next example is in JScript:

  <%@ LANGUAGE="JScript" %>
<%
  Response.CodePage = 1252;
  Response.Write("Hello, " + RemoveBadCharacters(Request.Form("UserName")));
  Response.Write("<BR>This is why you received an error:");

  function RemoveBadCharacters(strTemp) { 
    strTemp = strTemp.replace(/[^\s\w]/g,""); 
    return strTemp;
  }
%>
  • For a Metabase security checklist, see Checklist: Metabase Security.
  • For a global security checklist, see the topic titled "IIS Security Checklist" in IIS Help, which is accessible from IIS Manager.