Looking at this
http://www.dotnetperls.com/ashx
I might have bits of code like this:
string file = context.Request.QueryString["file"];
if (file == "logo")
{
r.WriteFile("Logo1.png");
}
else
{
r.WriteFile("Flower1.png");
}
That should allow me to see different things depending on URL that I enter in a browser, for example:
http://www.dotnetperls.com/?file=logo
http://www.dotnetperls.com/?file=sth_else_eg_flower
The problem I am facing now is how, knowing just http://www.dotnetperls.com/?file can I read what the all the assumed options of the file variable are? In this case it would be "logo" and anything else.
What I have in reality is http://www.somewebstie.com/somefile.ashx?somevariable=. I can Google up the string to get few results (i.e. http://www.somewebstie.com/somefile.ashx?somevariable=abcde or http://www.somewebstie.com/somefile.ashx?somevariable=xyz) thus I know it exists and is somehow searchable. I just would like to know all the other "abcde" and "xyz". If I try just http://www.somewebstie.com/somefile.ashx I get a singe line error saying that I am giving a wrong variable and I cannot see anything important in the source of the site.
What might be important here - I have zero knowledge about web technologies.
You can't get this information. Its all hidden in the code implementation. There is no published format (by default) that will show you all of the available options the code is looking for.
It is clearly to me that when I submit a simple form with :
a # w+aaa
Actually what is being posted is :
html=a+%40+w%2Baaa (ignore the "html" word)
But when I post it via fiddler :
What is being submitted is a # w+aaa ( the original raw string , obviously).
Question:
Can fiddler auto "encode" the variables so they will be sent as a+%40+w%2Baaa ?
Nb I know I can use the textwizard for this , but again , it is pretty annoying every time to open and paste values .
Fiddler's Composer doesn't automatically encode variables for you, and no, there's no way that it could reliably do so, since there's no way to tell whether a given = or & is a part of the value, or a delimiter between values.
If you wanted, you could use the WebForms Inspector to compose the POST body; simply SHIFT+Click the Execute button and then use the WebForms Inspector to edit the body fields.
We did a Fortify scan on our ASP.net application. We found that there many header manipulation issues. All the issues are pointing to Response.Redirect(). Please have a look at the below code where I encoded the parameters. Even then the below code is counted as header manipulation issue.
int iCount = 0;
foreach (string Name in Request.QueryString.Keys)
{
iCount++;
if (iCount > 1)
{
url += "&";
}
url += Name;
if (Request.Params[Name]!=null)
{
url += "=" + AntiXss.UrlEncode(Request.Params[Name]);
}
}
Response.redirect(Server.UrlPathEncode(page.root) + "\Test.aspx?" + url);
Can some body let me know what else is required to change here to resolve the issue?
Take off the Server.UrlPathEncode(page.root) portion and use Server.Transfer() instead of Response.Redirect().
Server.Transfer() transfers the user to another page on the same site and poses little to no danger of accidentally directing someone to another site.
Response.Redirect() is good for when you want to redirect someone to another site.
Also, Fortify doesn't tend to like Request.Params[] due to its possible ambiguity. A careful attacker may be able, on some servers, to send a UTF-7 or non-printing version of a name as one of the request variables and let the name of the variable contain the actual XSS injection, or overwrite the GET-request value with a cookie of the same name. Make sure both the name and value are htmlencoded, and consider using Request.QueryString[parametername] instead of Request.Params[parametername] to avoid more issues with Fortify.
Hopefully this gets you past your Fortify issues!
It appears that Fortify percieves Name as user defined and that will triger "Manupulation" error. If it's true try to use predefined list if possible.
We have taken over a .NET project recently and upon looking at the db we have the following in some columns:
1) Some columns have values such as
" & etc etc
2) Some have <script> tags and other non html encoded tags
This data is displayed all over the site. When trying out HtmlEncoding on point number 1 we get the following " -> "
Obviously we are wanting to htmlencode when displaying as point 2 contains javascript which we don't want executed.
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
No there isn't.
What i would suggest is that you write a quick script that goes through the database and unencode the already encoded data. Then use something like the Microsoft AntiXSS library (tutorial here) to encode all output before it gets output to the web page. Remember that it is fine to store the data unencoded1, the danger is when you echo it back out to the end user.
Some controls already encode output using encode functionality built into the .Net framework - which is not bulletproof to XSS - you just have to either avoid using those controls or just not encode the data displayed by them. There is a FAQ question pertaining to the MS controls that encode at the bottom of the page for the first link which you should read. Also some third party control vendors encode the output of their controls, you would do yourself a favor if you test them to make sure they are not still susceptible to XSS.
1Don't forget to take steps to prevent SQL injection though!
Before applying HtmlEncode( "myText" ) use HtmlDecode method to the input text.
That way you will decode your string from:
& quot; & amp; etc etc < script>
to
" & etc etc < script>
and afterwards apply encode "from scratch".
I mean, like php'h include...
something like
my_file_to_be_included = "include_me.asp"
-- >
for what I've seen so far, there are a couple of alternatives, but every one of them has some sort of shortcoming...
what I'm trying to figure out is how to make a flexible template system... without having to statically include the whole thing in a single file with a loooooong case statement...
here there are a couple of links
a solution using FileSysmemObject, just lets you include static pages
idem
yet another one
same thing from adobe
this approach uses Server.Execute
but it has some shortcomings I'd like to avoid... seems like (haven't tried yet) Server.Execute code runs in another context, so you can't use it to load a functions your are planning to use in the caller code... nasty...
same thing
I think this one is the same
this looks promising!!!
I'm not sure about it (couldn't test it yet) but it seems like this one dinamycally handles the page to a SSDI component...
any idea???
No you can't do a dyanmic include, period.
Your best shot at this is a server.execute and passing whatever state it needs via a Session variable:-
Session("callParams") = BuildMyParams() 'Creates some sort of string
Server.Execute(my_file_to_be_included)
Session.Contents.Remove("callParams")
Improved version (v2.0):
<%
' **** Dynamic ASP include v.2.0
function fixInclude(content)
out=""
if instr(content,"#include ")>0 then
response.write "Error: include directive not permitted!"
response.end
end if
content=replace(content,"<"&"%=","<"&"%response.write ")
pos1=instr(content,"<%")
pos2=instr(content,"%"& ">")
if pos1>0 then
before= mid(content,1,pos1-1)
before=replace(before,"""","""""")
before=replace(before,vbcrlf,""""&vbcrlf&"response.write vbcrlf&""")
before=vbcrlf & "response.write """ & before & """" &vbcrlf
middle= mid(content,pos1+2,(pos2-pos1-2))
after=mid(content,pos2+2,len(content))
out=before & middle & fixInclude(after)
else
content=replace(content,"""","""""")
content=replace(content,vbcrlf,""""&vbcrlf&"response.write vbcrlf&""")
out=vbcrlf & "response.write """ & content &""""
end if
fixInclude=out
end function
Function getMappedFileAsString(byVal strFilename)
Dim fso,td
Set fso = Server.CreateObject("Scripting.FilesystemObject")
Set ts = fso.OpenTextFile(Server.MapPath(strFilename), 1)
getMappedFileAsString = ts.ReadAll
ts.close
Set ts = nothing
Set fso = Nothing
End Function
execute (fixInclude(getMappedFileAsString("included.asp")))
%>
Sure you can do REAL classic asp dynamic includes. I wrote this a while back and it has opened up Classic ASP for me in a whole new way. It will do exactly what you are after, even though people seem to think it isn't possible!
Any problems just let me know.
I'm a bit rusty on classic ASP, but I'm pretty sure you can use the Server.Execute method to read in another asp page, and then carry on executing the calling page. 15Seconds had some basic stuff about it - it takes me back ...
I am building a web site where it would have been convenient to be able to use dynamic includes. The site is all ajax (no page reloads at all) and while the pure-data JSON-returning calls didn't need it, all the different html content for each different application sub-part (window/pane/area/form etc) seems best to me to be in different files.
My initial idea was to have the ajax call be back to the "central hub" main file (that kicks the application off in the first place), which would then know which sub-file to include. Simply including all the files was not workable after I realized that each call for some possibly tiny piece would have to parse all the ASP code for the entire site! And using the Execute method was not good, both in terms of speed and maintenance.
I solved the problem by making the supposed "child" pages the main pages, and including the "central hub" file in each one. Basically, it's a javascript round-trip include.
This is less costly than it seems since the whole idea of a web page is that the server responds to client requests for "the next page" all the time. The content that is being requested is defined in scope by the page being called.
The only drawback to this is that the "web pieces" of the application have to live partly split apart: most of their content in a real named .asp file, but enough of their structure and relationship defined in the main .asp file (so that, for example, a menu item in one web piece knows the name to use to call or load another web piece and how that loading should be done). In a way, though, this is still an advantage over a traditional site where each page has to know how to load every other page. Now, I can do stuff like "load this part (whether it's a whole page or otherwise) the way it wants to be loaded".
I also set it up so each part can have its own javascript and css (if only that part needs those things). Then, those files are included dynamically through javascript only the first time that part is loaded. Then if the part is loaded repeatedly it won't incur an extra overhead.
Just as an additional note. I was getting weird ASCII characters at the top of the pages that were using dynamic includes so I found that using an ADODB.Stream object to read the include file eliminated this issue.
So my updated code for the getMappedFileAsString function is as follows
Function getMappedFileAsString(byVal strFilename)
Dim fso
Set fso = CreateObject("ADODB.Stream")
fso.CharSet = "utf-8"
fso.Open
fso.LoadFromFile(Server.MapPath(strFilename))
getMappedFileAsString = fso.ReadText()
'Response.write(getMappedFileAsString)
'Response.End
Set fso = Nothing
End Function