0

I have a screen where I print all the variables to the screen and show them to the user with classic asp.

On this screen, I show the values ​​of "Session","Querystring","Form","Cookie","Server.Variables" to the user.

I'm doing replace so that some data is understandable. Other than that, I don't do anything.

There is nothing in the displayed values ​​to bother me.

But can the user do anything harmful by tampering with a Cookie or submitting malicious code with the Request form?

A regex etc before displaying the values ​​to the user. Will I need to apply anything?

Before showing these values ​​on the same page, I check the username and password according to the values ​​I assigned to Session from SQL Server and show all the data below to the user.

You can think of it as a kind of phpinfo.

My classic asp code

<%
variables=variables &   "<style>h3 {margin:3px;text-decoration: underline;}</style>"
variables=variables &   "<h3>Session</h3>"
ix=0
For Each ix in Session.Contents
variables=variables &"<span style='color:red;font-weight:bold;'>"&ix&"</span>="
variables=variables &  Session.Contents(ix) 
variables=variables &  "<br>"
Next

variables=variables &  "<h3>Querystring</h3>"
for each variable_name in request.QueryString
variable_value=request.QueryString(variable_name)
variables=variables &"<span style='color:red;font-weight:bold;'>"&variable_name&"</span>="
variables=variables &  variable_value
variables=variables &  "<br>"
next

variables=variables &  "<h3>Form</h3>"
for each variable_name in request.Form
variable_value=request.Form(variable_name)
variables=variables &"<span style='color:red;font-weight:bold;'>"&variable_name&"</span>="
variables=variables &  variable_value
variables=variables &  "<br>"
next

variables=variables &  "<h3>Cookie</h3>"
for each x in Request.Cookies
  if Request.Cookies(x).HasKeys then
    for each y in Request.Cookies(x)
      variables=variables&("<span style='color:red;font-weight:bold;'>"&x&"</span>"&"<span style='color:blue;font-weight:bold;'>('"&y&"')</span>=" & Request.Cookies(x)(y))
      variables=variables&("<br>")
    next
  else
    variables=variables&("<span style='color:red;font-weight:bold;'>"&x & "</span>=" & Request.Cookies(x) & "<br>")
  end if
next

variables=variables &  "<h3>Server.Variables</h3>"
for each x in Request.ServerVariables
    variables=variables&("<span style='color:red;font-weight:bold;'>"&x&"</span>="&Request.ServerVariables(""&x&"")&"<br>")
next


Response.Write variables
%>
Zoe
  • 27,060
  • 21
  • 118
  • 148
omerix
  • 149
  • 1
  • 12
  • 2
    Using `Server.HTMLEncode` will prevent any potentially harmful code passed as a form, querystring or cookie value from being executed client side. – Adam Jul 06 '21 at 16:17

1 Answers1

0

Yes - you're not encoding the values before outputting them to the page. At the very least put use the Server.HTMLEncode around the values.

Simon Sawyer
  • 317
  • 1
  • 2
  • 11