This paper briefly describes several common classes of coding error generally encountered when auditing web applications running on the Active Server Pages (ASP) platform. The paper is broken down into three broad sections, each of which addresses several common coding problems. The following is a list of the common errors that are discussed in this document, divided into three broad categories. The remainder of the document deals with each of these problems in turn. Any ASP code samples assume that the default language is VBScript, but all of the points apply equally to JavaScript. Equally, all occurrences of the SQL language assume that Microsoft SQL Server is being used as the back – end database.

Input validation
Insufficient validation of fields in SQL queries
Email handling problems
Parent path problems
Predictability and secure management of state
Poor randomness
Predictable session identifiers
Session state manipulation bugs
Poor credential management
Source maintenance problems
Improper source and data file maintenance
Debug code
Hardcoded credentials
Error messages/error handling
Classes of problem

Input validation
Input validation errors are probably the most common form of problem encountered when auditing ASP applications. Three of the most common classes of input validation error are:
Insufficient validation of fields in SQL queries
Email handling problems
Parent path problems
We will address each of these classes of error in turn.

Download pdf Writing Secure ASP Scripts