Active Server Pages Security (Compact 2013)
3/26/2014
Active Server Pages (ASP) has potential security risks because it supports the transfer of data over network.
Never trust user input to be of an appropriate size or contain appropriate characters
Always verify user input before the program uses it to make decisions. The best option is to create a COM component, which you can call from an ASP page to verify user input.
Do not create database connection strings in an ASP page by concatenating strings of user input together
A malicious attacker can insert code into their input to gain access to the database. If you are using a SQL database, use stored procedures for creating database connection strings.
Do not use the default SQL administrator account
Everyone who uses SQL knows that the system administrator (sa) account exists. Create a different SQL administrative account that has a strong password and delete the default system administrator account.
Use caution when handling user passwords and administrative account names and passwords
Before you store client user passwords, try to hash, encrypt, or obfuscate them in some way. Do not put administrative account names or passwords in administration scripts or ASP pages.
Be cautious when you use data from request headers
Because header data can be fabricated by a malicious user, do not make decisions in your code based on request headers. Before using request data, always validate the source.
Be cautious when you use cookies or hidden input fields
Do not store secure data in cookies or hidden input fields in webpages.
Use SSL to protect sensitive data to prevent malicious users from eavesdropping on the network connections
SSL enables web servers and web clients to communicate by using encryption. When SSL is not used, data sent between the client and server is open to packet sniffing by anyone with physical access to the network. For more information, see Configure a Web Server to use SSL.
Use caution when you write ISAPI applications, filters, and COM objects
When writing ISAPI applications, filters, or COM objects, watch for buffer over-runs caused by assuming sizes of variables and data. Also, watch for canonicalization issues that can be caused by interpreting data like absolute path names or URLs as relative path names or URLs.