Home > ASP.NET Articles

Improving ASP and ASP.NET Website Security - Part One

Ideas for improving the security of ASP and ASP.NET web applications.

Suppress Server Errors

Hackers and other people with dubious intentions are always on the lookout for websites that display technical error messages. ASP or ASP.NET error messages are often useful to such people. In some cases the hackers can actually think of ways of causing the error messages to appear, such as by playing around with the parameters in the query string.

There have also been instances of hackers looking for certain error messages that indicate known vulnerabilities by looking for specific terms on search engines, such as Google. Therefore, suppressing error messages is an extremely important tool in helping to avoid drawing the attentions of malicious users.

Thankfully, suppressing errors on Microsoft based web servers is very straightforward. In ASP it can be achieved by ensuring that pages use the On Error Resume Next directive. Do not forget that this directive should also be used within each subroutine in the Global.asa, if you are using one. The most common source of ASP errors on live websites are database or filesystem errors. Your application should always check for these, for example by checking the Errors collection of the ADODB Connection object to ensure a database connection has been successful.

IIS also has a setting that allows a website's errors to be replaced with an operator-supplied generic message.

In ASP.NET, application errors can be suppressed by altering the customErrors setting within the application's web.config file. By default, the .NET Framework usually hides the specific details application errors unless the website is being viewed on the local machine.

Do not use .inc as default makes it readable in browser

When using ASP include files, it is usually better to use the .asp file extension rather than .inc. This is because many IIS web servers do not recognize that the .inc files contain ASP content. Although it is possible to associate files with .inc file extensions with the ASP interpreter via the Application Mappings settings within IIS, not many websites are configured to do this.

If IIS is not aware of .inc files containing ASP, then HTTP requests for them will be returned to the client as plain text. This does of course mean that the source code in the file will be viewable by anyone. This is a particular hazard if there is sensitive data contained within them, such as passwords or database connection strings.

Although it is possible that your .inc files may go unnoticed, there are several methods by which they may get discovered.

A malicious user may come across them if they are in a sub-folder with a guessable name (such as "includes") and the folder has directory browsing switched on. Turning off directory browsing will help alleviate this issue.

An ASP error on a page using the include file will show the path to the include file if the error was encountered in that include file. Turning off ASP errors will avoid this issue.

The other advantage of this is that file editors, such as Visual InterDev, will automatically recognize the file as containing ASP code and will syntax highlight and color code the source code appropriately.

Do not rely on HTTP_REFERER Server Variable

The HTTP_REFERER server variable records the URL of the page the user's browser visited before the current page. As such, it is sometimes used to check that a form was submitted from the correct form and that the submission did not originate from elsewhere.

While this is a useful technique to guard against automated form submissions, there are, however, a number of issues with using the HTTP_REFERER server variable.

Some proxy servers and content filtering services mask the value of the HTTP_REFERER or even strip it out altogether before the request arrives at the destination server.

An increasing number of Internet web robots are being used with a fake value for the HTTP_REFERER server variable.

The HTTP_REFERER server variable can be easily faked by many of the tools used to create automated web-crawling robots and form submission utilities.

Consequently, there are disadvantages to using the HTTP_REFERER server variable to increase the security of web applications. Alternative strategies to securing forms would be to include using a graphical sequence of characters that a user has to type into the form before submission (i.e. a Captcha, see http://www.captcha.net/), or to include certain dynamically-generated, hidden fields within the form that must also be present when the form is submitted.

Useful Development Tools

ASP Documentation Tool™

Automatically creates developer documentation for ASP 2.0 and 3.0 web applications written in VBScript and JScript. Documentation for Microsoft Access, SQL Server 7/2000 databases and Visual Basic 6.0 components associated with the web application can also be incorporated into the reports. Documentation is created in HTML, HTML Help and plain text formats.

View Sample Output (HTML Help format).     View Sample Output (HTML Format).     Download Trial Version (5.2Mb ZIP file).

.NET Documentation Tool

Automatically creates technical documentation for .NET Framework Windows and ASP.NET applications written in C# or VB.NET and SQL Server 7/2000/2005 or Microsoft Access databases associated with the application. Documentation is created in HTML, HTML Help and plain text formats.

View Sample Output (HTML Help format).     View Sample Output (HTML Format).     Download Trial Version (5Mb ZIP file).

SQL Documentation Tool

The SQL Documentation Tool creates technical documentation for Microsoft SQL Server 7.0 and 2000 databases. Technical documentation is created in HTML and HTML Help formats. The HTML Help format documentation is fully searchable and cross referenced. The SQL Documentation Tool documents SQL Server Tables, Views, Stored Procedures, Triggers and Table Relationships.

View Sample Output (HTML Help format).     View Sample Output (HTML Format).     Download Trial Version (10.3Mb ZIP file).

VB Documentation Tool

The VB Documentation Tool creates technical documentation for Microsoft Visual Basic 6.0 projects. Technical documentation is created in HTML and HTML Help formats. The HTML Help format documentation is fully searchable and cross referenced.

View Sample Output (HTML Help format).     View Sample Output (HTML Format).     Download Trial Version (1Mb ZIP file).

Indexing Service Companion

The Indexing Service Companion is a Windows application that extends the functionality of the Microsoft Windows Indexing Service so that it is able to index content from remote websites and also from ODBC databases. As such it can be used as a low cost alternative to Sharepoint Portal Search Services.

Try Sample Search Facility.     Download Trial Version (1.7Mb ZIP file).

The Website Utility

The Website Utility examines websites for errors and areas that need to be optimised for search engines by using a built in web crawling engine. Errors checked for include broken or moved hyperlinks, missing page titles and missing meta tags. It also generates HTML for use in creating website site maps (table of contents pages - like this one), and is able to create both client-side JavaScript Search Engines and server-side ASP Search Engines for a website.

View Sample Output (HTML Format).     Download Trial Version (3Mb ZIP file).

PHP Documentation Tool™

Automatically creates developer documentation for PHP web applications. Documentation is created in HTML, HTML Help and plain text formats.

View Sample Output (HTML Help format).     View Sample Output (HTML Format).     Download Trial Version (1.0Mb ZIP file).