4 Solutions
4.1 Some Ideas
There are a number of ideas to fix this two security problems. The basic approach is to create a library of ASP functions which can be used without much hassle. The advantage of this is that it can be used very easily. But it’s not the best way, because you need to think of it every time you read some request. The one and only place where you forget to use this functions might be the door for an attacker. The other major disadvantage is that this requires a system for code sharing to ensure that every Web application uses current functions.
Combined with the ASP functions it’s possible to create a checker tool that reads the source files on the server and tries to detect the parameters which aren’t checked. This could even be automated using command line options and/or a configuration file.
Another idea that floated around in my head was to create an ISAPI filter, so that you don’t have to rewrite the applications. This would be a great advantage, but it has some disadvantaged. The most serious problem is the fact that in the ISAPI filter you can’t know whether to protect this query against SQL injection
or cross-site scripting. As we have seen, both need different filtering. It might be possible to solve this using some configuration files. I have decided not to dig into this for the moment, because it would be quite time consuming.
As I find the idea of the checker tool very sexy I decided to implement the ASPor cross-site scripting. As we have seen, both need different filtering. It might be possible to solve this using some configuration files. I have decided not to dig into this for the moment, because it would be quite time consuming.
functions and a checker tool.