From Syhunt Web Application Security Docs

Vulnerable: Vulnerable ASP Code

This page features a few common examples of vulnerable classic ASP & ASP.NET code that Syhunt can find and ASP scanning capabilities that are available in the product.

Table of contents

Intelligent ASP Scanning

False Positive Examples

Syhunt comes with advanced engine able to avoid triggering false positive results. Example - this vulnerability will not be reported:

 
<%@ Page Language="C#"%>
<%
// This was a XSS vulnerability. I commented it out
// Response.Write(Request.QueryString["name"]);
/* 
Response.Write(Request.QueryString["name"]);
*/
%>
 

The code above is not vulnerable anymore since it has been commented out. Syhunt scan results for this example code will consequently reveal no flaws:

No vulnerabilities found.

XSS

See: Cross-Site Scripting (XSS)

Examples

These are very basic XSS examples.

ASP.NET/Classic ASP

 
<%
Response.Write(Request.Form["name"]);
Response.Write(Request.QueryString["name"]);
%>
 

Syhunt scan results for this example code:

Found: 3 vulnerabilities
In /xss.aspx (source code, locally), on line 2:
  Possible XSS Vulnerability
In /xss.aspx (source code, locally), on line 3:
  Possible XSS Vulnerability

ASP.NET

 
<%@ Page Language="C#"%>
<script runat="server">
void SubmitBtn _Click(object sender, EventArgs e) { 
Response.Write(InputText.Text);
}
</script>
<html>
<body>
<form id="form1" runat="server">
<asp:TextBox ID="InputText" Runat="server" TextMode="MultiLine" Width="300px" Height="150px"> 
</asp:TextBox>
<asp:Button ID="SubmitBtn" Runat="server" Text="Submit" OnClick="SubmitBtn _Click"/> 
</form>
</body>
</html>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /xss_runatsrv.aspx (source code, locally), on line 4:
  Possible XSS Vulnerability

File Inclusion Detection

See: File Inclusion

Example

 
<%
Server.Execute(Request.QueryString["file"])
%>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /fi_basic.aspx (source code, locally), on line 2:
  Possible File Inclusion Vulnerability

SQL Injection Detection

See: SQL Injection

Example

 
<%@Page Language="C#"%>
<%@ Import NameSpace="System.Data" %>
<%@ Import NameSpace="System.Data.SqlClient" %>
<%
// Dynamic SQL
SqlDataAdapter myCommand = new SqlDataAdapter("SELECT au_lname, au_fname FROM authors WHERE au_id = '" + Request.QueryString["SSN"] + "'", myConnection);
// Stored Procedure
SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure '" + Request.QueryString["SSN"] + "'", myConnection);
%>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /sqli_ms.aspx (source code, locally), on lines 6,8:
  Possible SQL Injection Vulnerability

Additional Vulnerability Classes & Variants

While Syhunt contains checks for many vulnerability variants, this page doesn't cover them all. In addition to the vulnerability classes covered in this page, Syhunt detects HTTP Response Splitting, remote command execution and arbitrary file manipulation issues.

Retrieved from http://www.syhunt.com/docwiki/index.php?n=Vulnerable.ASP
Page last modified on November 28, 2012, at 10:52 AM