To deal with ASP overflow vulnerabilities, we should do comprehensive character filtering.
One is to log in as a member
. The following code is to filter out illegal characters in username.
<%
username=trim(request.form("username"))
userpws=trim(request.form("password"))
if username="" or userpws="" or Instr(username,"=")>0 or Instr(username,"%")>0 or Instr(username,chr(32))>0 or Instr(username," ?")>0 or Instr(username,"&")>0 or Instr(username,";")>0 or Instr(username,",")>0 or Instr(username,"'")>0 or Instr(username,",")>0 or Instr(username,chr(34))>0 or Instr(username,chr(9))>0 or Instr(username,"?")>0 or Instr(username, "$")>0 then
response.write('' Please enter the username and password correctly'')
response.end
end if
%>
There is also an overflow vulnerability that involves entering illegal characters through the address bar. For example, if one page is newslist.asp and the other is newspage.asp,
we pass the newsid parameter from newslist.asp to newspage.asp.
When receiving parameters in newspage.asp, we generally only use,
<%
dim newsid
newsid=request(''newsid'')
.....................
%>
To be on the safe side we should at least add
<%
dim newsid
newsid=tirm(request''id'')
if newsid='''' or Instr(newsid,"'")>0 or Instr(newsid,"%")>0 then
response.write(''Illegal parameter'')
response.end
%>
What I said is basically the above two points. If there are any deficiencies, please let me know.
Although we still have some loopholes in INTERNET, entering a few more lines of code can better increase the security of the website!
A simple way to deal with using illegal character overflow vulnerability to attack websites