What security concerns should I have with ASP?

The servers are generally quite secure, we keep up to date on security patches, and they are clean, ie: they only run the services that are required for IIS and only contain customer websites. Non-essential services are shut off and we lock down the filesystem permissions.

On your web site, you should mostly worry about any data that is entered by the public. Usually external data arrives in the form of:

- Forms
- QueryStrings
- Uploads

Forms and querystring values should be checked for length and valid characters. Generally disallow anything but the printable ASCII set and CR and LF characters where appropriate. Numeric data should be subject to bounds checking for both minimum and maximum values.

File uploads should be checked for size and you should never use the supplied filename from the client browser. Your script should enforce the maximum file size and should generate a file name (including extension). You should also use a predetermined path to the writable folder.

Watch for arrays that can grow dynamically based on user input. Put a maximum size on them.

Keep your databases in the /database folder so no one can download them. FP and InterDev usually set these permissions if they live elsewhere in the directory tree, but if you have any not in /database, double check with a browser and try a URL like:


Where the URL is the exact path to your .MDB file. If the browser downloads your MDB to your workstation, you are in trouble. If this is the case, let us know and we will fix the permissions so ODBC works, but anonymous HTTP downloads do not.

In your forms, you can use Javascript to validate user input, but double check any received data in your ASP scripts back on the server. Never trust the client browser. A malicious user could use a simple COM component and perform a POST to your form handler with whatever data they like which will completely bypass the Javascript validation on your form. Javascript is convenient for first level data validation, and you can perform advanced local validation with it, but when your back end script receives the data, do the validation all over again on the server just in case.

Add Feedback