Hello all,
... and Happy New Year! Maybe this is the year where I really take my coding to a new level .... Haha! ok, ok ... let me get to it.
I have had a looming question hanging over my head for a while now. I've recently started coding some of my pages with AJAX, using Classic ASP as my serverside scripting engine. Now, I love VBScript, hence I really like Classic ASP. I have some questions in reguard to defending against would be injection attacks.
One scenario is this: Ok, so I don't even have a form on my page. I just dynamically create text in certain areas of a page using AJAX. ... And I do mean Classic AJAX as well as Classic ASP because I am litterally using XHTML Transitional and JavaScript to make the request to the server for a Classic ASP page which responds with text retrieved from an XML file. It doesn't get anymore "Classic" than that in reguards to AJAX. I use the "Post" method, even though I am not posting any information. I suppose I could use "Get", but I am just not a big fan of the appending to the url. So, "Post" it is, then...
Now, the .xml file gets to stay on the server, and any infromation that the client will need from that file will be accessed via the ASP file that gets called from the client.
Now, as far as I know, it does not matter whether or not I use "Post" or "Get" as far as the scenario that I am about to explain is concerned:
A malicious user decides to start messing with my site and checking for vulnerabilities. I am not a hacker, but from what I've learned about the web in general, is that if I wanted to start messing with "Harry" the homeowner's web server ... I'd start looking at the code that I downloaded from his webpage. ... "Ah, this looks interesting..." as I see the name of the ASP page that gets called via the JavaScript xmlhttprequest function: xmlhttp.open("Post","someASPpage.asp", true); xmlhttp.send();
The reason I said that it does not matter whether or not I use "Post" or "Get" is because now that the user has the name of the ASP page, (the url for my website, can also obtain the exact IP address for the website, etc ... etc ...) and can craft any type of AJAX call to that page that he/she wants to (also, let's assume that masking is not being implemented, and even if it were, I am pretty sure that the correct destination can be obtained, anyhow). So, the user can type up any XHTML page with forms and whatever and post to that page.
So, what I am wondering is: should every ASP page that can be found have a security script built into it, to prevent ASP code injection?
In this example, the ASP page doesn't even use the Request object because it does not rely on any information from the client. However, if it is possible to pass: "Dim fname fname = Request.Form('FirstName')", or any ASP code at all, to the ASP page via a specially crafted XMLHTTPRequest, than obviously the answer to my question would be: "Yes, every ASP page should have a built in security script to prevent code injection via a specially crafted AJAX call using the XMLHTTPRequest object." .... and if so, where do I find some examples?
Thanks for reading my post! :-)